Ecosyste.ms: Advisories

Security Advisories: GSA_kwCzR0hTQS1tdzk5LTljaGMteHc3cs4AA4Cr

Maliciously crafted Git server replies can cause DoS on go-git clients

Impact

A denial of service (DoS) vulnerability was discovered in go-git versions prior to v5.11. This vulnerability allows an attacker to perform denial of service attacks by providing specially crafted responses from a Git server which triggers resource exhaustion in go-git clients.

Applications using only the in-memory filesystem supported by go-git are not affected by this vulnerability.
This is a go-git implementation issue and does not affect the upstream git cli.

Patches

Users running versions of go-git from v4 and above are recommended to upgrade to v5.11 in order to mitigate this vulnerability.

Workarounds

In cases where a bump to the latest version of go-git is not possible, we recommend limiting its use to only trust-worthy Git servers.

Credit

Thanks to Ionut Lalu for responsibly disclosing this vulnerability to us.

References

• GHSA-mw99-9chc-xw7r

Permalink: https://github.com/advisories/GHSA-mw99-9chc-xw7r
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1tdzk5LTljaGMteHc3cs4AA4Cr
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 5 months ago
Updated: 4 months ago

CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Identifiers: GHSA-mw99-9chc-xw7r, CVE-2023-49568
References:

• https://github.com/go-git/go-git/security/advisories/GHSA-mw99-9chc-xw7r
• https://nvd.nist.gov/vuln/detail/CVE-2023-49568
• https://github.com/advisories/GHSA-mw99-9chc-xw7r

Repository: https://github.com/go-git/go-git
Blast Radius: 31.0

Affected Packages