HashiCorp go-getter Vulnerable to Code Execution On Git Update Via Git Config Manipulation
Overview
Source
ID
GHSA-xfhp-jf8p-mh5w
Aliases
CVE-2024-6257
GO-2024-2948
Affected package
Description
HashiCorp’s go-getter library can be coerced into executing Git update on an existing maliciously modified Git Configuration, potentially leading to arbitrary code execution. When go-getter is performing a Git operation, go-getter will try to clone the given repository in a specified destination. Cloning initializes a git config to the provided destination and if the repository needs to get updated go-getter will pull the new changes .
An attacker may alter the Git config after the cloning step to set an arbitrary Git configuration to achieve code execution.
Impact
Severity
help_outline
Latest version of the CVSS score reported by the source of the advisory.
8.4 HIGH
Reference links
Summary
5.50k
Total packages affected
help_outline
Packages with at least one version that is affected by the advisory or has an affected dependency.
932
Packages with a known fix
help_outline
Packages with versions affected by the advisory that have a greater version that is not affected.
0.41%
Total ecosystem affected
help_outline
The proportion of packages in the ecosystem that are affected by the advisory (fixed or not).
Affected Version: Introduced: 0, Fixed: 1.7.5
Affected