CVE-2022-30321: 
Red Hat Enterprise Linux CoreOS (RHCOS) vulnerability analysis and mitigation

The vulnerability CVE-2022-30321 affects HashiCorp's go-getter library versions up to 1.5.11 and 2.0.2. The vulnerability was discovered and disclosed on May 24, 2022, allowing arbitrary host access through go-getter path traversal, symlink processing, and command injection flaws. The issue was fixed in versions 1.6.1 and 2.1.0 (HashiCorp Advisory).

The vulnerability has been assigned a CVSS v3.1 base score of 8.6 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H. The technical issue stems from improper handling of HTTP responses, response headers, and configuration processing. The vulnerability is categorized under multiple CWE categories including CWE-22 (Path Traversal), CWE-77 (Command Injection), and CWE-59 (Improper Link Resolution Before File Access) (NVD).

The vulnerability could allow attackers to gain arbitrary host access through multiple attack vectors including path traversal, symlink processing, and command injection. The exposure impact varies depending on the context and threat model of the system using the go-getter library, with server-side usage potentially having a greater degree of exposure than client-side usage (HashiCorp Advisory).

Users are advised to upgrade to go-getter versions 1.6.1 and 2.1.0 or newer. The fix includes new configuration options such as DisableSymlinks, DoNotCheckHeadFirst, HeadFirstTimeout, ReadTimeout, MaxBytes, ConfigInDestinationDisabled, XTerraformGetDisabled, and XTerraformGetLimit to address exposure more comprehensively (HashiCorp Advisory).