CVE-2022-30321
Published: 25 May 2022
Summary
CVE-2022-30321 is a high-severity Path Traversal (CWE-22) vulnerability in Hashicorp Go-Getter. Its CVSS base score is 8.6 (High).
Operationally, ranked in the top 10.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
CVE-2022-30321 affects the go-getter library up to versions 1.5.11 and 2.0.2. The flaws consist of path traversal, symlink processing, and command injection issues that collectively enable arbitrary host access. The component is commonly used by HashiCorp tools and other Go-based projects that retrieve remote artifacts.
Unauthenticated remote attackers can exploit the vulnerabilities over the network without user interaction. Successful exploitation yields limited impacts on confidentiality and integrity alongside high availability impact, as reflected in the CVSS 8.6 rating and the associated CWEs for path traversal, symlink following, and command injection.
Advisories from HashiCorp reference HCSEC-2022-13 and direct users to update go-getter to 1.6.1 or 2.1.0, with corresponding releases published to address the issues. The listed discussion threads and GitHub release notes provide the primary guidance on remediation.
EPSS for the CVE reached a peak of 0.0651 on 2026-05-20 before receding to the current value of 0.0475. No information is supplied on observed real-world exploitation.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-3749
Vulnerability details
go-getter up to 1.5.11 and 2.0.2 allowed arbitrary host access via go-getter path traversal, symlink processing, and command injection flaws. Fixed in 1.6.1 and 2.1.0.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Validates pathnames and filenames to prevent traversal outside intended directories.