GO-2024-2948

See a problem?

Source

https://pkg.go.dev/vuln/GO-2024-2948

Import Source

https://vuln.go.dev/ID/GO-2024-2948.json

JSON Data

https://api.osv.dev/v1/vulns/GO-2024-2948

Aliases

Published

2024-06-28T18:33:10Z

Modified

2024-07-15T22:12:28.995940Z

Summary

Code Execution on Git update in github.com/hashicorp/go-getter

Details

A crafted request can execute Git update on an existing maliciously modified Git Configuration. This can potentially lead to arbitrary code execution. When performing a Git operation, the library will try to clone the given repository to a specified destination. Cloning initializes a git config in the provided destination. An attacker may alter the Git config after the cloning step to set an arbitrary Git configuration to achieve code execution.

References

Affected packages

Go / github.com/hashicorp/go-getter

Package

Name: github.com/hashicorp/go-getter; View open source insights on deps.dev
Purl: pkg:golang/github.com/hashicorp/go-getter

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.7.5

Ecosystem specific

{
    "imports": [
        {
            "path": "github.com/hashicorp/go-getter",
            "symbols": [
                "Client.ChecksumFromFile",
                "Client.Get",
                "FolderStorage.Get",
                "Get",
                "GetAny",
                "GetFile",
                "GitGetter.Get",
                "GitGetter.GetFile",
                "GitGetter.clone",
                "HttpGetter.Get",
                "findRemoteDefaultBranch"
            ]
        }
    ]
}