Vulnerability Report: GO-2024-2948

CVE-2024-6257, GHSA-xfhp-jf8p-mh5w
Affects: github.com/hashicorp/go-getter
Published: Jun 28, 2024

A crafted request can execute Git update on an existing maliciously modified Git Configuration. This can potentially lead to arbitrary code execution. When performing a Git operation, the library will try to clone the given repository to a specified destination. Cloning initializes a git config in the provided destination. An attacker may alter the Git config after the cloning step to set an arbitrary Git configuration to achieve code execution.

For detailed information about this vulnerability, visit https://github.com/advisories/GHSA-xfhp-jf8p-mh5w.

Affected Packages

Path

Go Versions

Symbols
github.com/hashicorp/go-getter

before v1.7.5
9 affected symbols

Aliases

CVE-2024-6257
GHSA-xfhp-jf8p-mh5w

References

https://github.com/advisories/GHSA-xfhp-jf8p-mh5w
https://github.com/hashicorp/go-getter/commit/268c11cae8cf0d9374783e06572679796abe9ce9
https://discuss.hashicorp.com/t/hcsec-2024-13-hashicorp-go-getter-vulnerable-to-code-execution-on-git-update-via-git-config-manipulation/68081
https://vuln.go.dev/ID/GO-2024-2948.json

Feedback

See anything missing or incorrect? Suggest an edit to this report.

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL