HashiCorp go-getter before 2.0.2 allows Command Injection.
The MITRE CVE dictionary describes this issue as: