GSA_kwCzR0hTQS1xNjRoLTM5aHYtNGNmN84AA7KO

Critical EPSS: 0.00117% (0.31499 Percentile) EPSS:

Permalink JSON

HashiCorp go-getter Vulnerable to Argument Injection When Fetching Remote Default Git Branches

Affected Packages	Affected Versions	Fixed Versions
go:github.com/hashicorp/go-getter	>= 1.5.9, < 1.7.4	1.7.4
3,705 Dependent packages 6,872 Dependent repositories Affected Version Ranges All affected versions 1.5.9, 1.5.10, 1.5.11, 1.6.0, 1.6.1, 1.6.2, 1.7.0, 1.7.1, 1.7.2, 1.7.3 All unaffected versions 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.1.0, 1.2.0, 1.3.0, 1.4.0, 1.4.1, 1.4.2, 1.5.0, 1.5.1, 1.5.2, 1.5.3, 1.5.4, 1.5.5, 1.5.6, 1.5.7, 1.5.8, 1.7.4, 1.7.5, 1.7.6, 1.7.7, 1.7.8

When go-getter is performing a Git operation, go-getter will try to clone the given repository. If a Git reference is not passed along with the Git url, go-getter will then try to check the remote repository’s HEAD reference of its default branch by passing arguments to the Git binary on the host it is executing on.

An attacker may format a Git URL in order to inject additional Git arguments to the Git call.

Consumers of the go-getter library should evaluate the risk associated with these issues in the context of their go-getter usage and upgrade go-getter to 1.7.4 or later.

References:

Identifiers

GHSA-q64h-39hv-4cf7

CVE-2024-3817

Risk

Severity

Critical

EPSS

EPSS Percentage: 0.00117

EPSS Percentile: 0.31499

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Repository

https://github.com/hashicorp/go-getter

Date and time

Published

over 1 year ago

Updated

about 1 year ago

API

JSON

ecosyste.ms

Data

Tools

Indexes

Applications

Experiments

Advisories