fetch icon indicating copy to clipboard operation
fetch copied to clipboard
verified publisher icon gruntwork-io

Fetch CVE-2022-27664

Open trsreagan3 opened this issue 2 years ago • 2 comments

  • this scan was run against version 0.4.2 as that is what is installed by gruntwork-installer. If this has been patched in one of the recent releases this can be closed
  • CVE-2022-27664
  • Installed version: 1.16.2 Patched version: 1.18.6 Paths: /usr/local/bin/fetch
  • Description In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, a closing HTTP/2 server connection could hang forever waiting for a clean shutdown that was preempted by a subsequent fatal error. This failure mode could be exploited to cause a denial of service.
  • References https://nvd.nist.gov/vuln/detail/CVE-2022-27664

trsreagan3 avatar Apr 11 '23 08:04 trsreagan3

Thanks for bringing this to our attention @trsreagan3 . We will have a look and take steps to prioritize work accordingly.

gitsstewart avatar Apr 11 '23 17:04 gitsstewart

Should we close this issue given that #116 is merged?

josh-padnick avatar May 04 '23 18:05 josh-padnick

Fixed in https://github.com/gruntwork-io/fetch/releases/tag/v0.4.6

denis256 avatar May 26 '25 14:05 denis256