Argument injection when fetching remote default Git branches in github.com/hashicorp/go-getter

Overview

Source

ID

GO-2024-2800

Aliases

CVE-2024-3817

GHSA-q64h-39hv-4cf7

Affected package

github.com/hashicorp/go-getter

Description

When go-getter is performing a Git operation, go-getter will try to clone the given repository. If a Git reference is not passed along with the Git url, go-getter will then try to check the remote repository's HEAD reference of its default branch by passing arguments to the Git binary on the host it is executing on.

An attacker may format a Git URL in order to inject additional Git arguments to the Git call.

Impact

Reference links

https://discuss.hashicorp.com/t/hcsec-2024-09-hashicorp-go-getter-vulnerable-to-argument-injection-when-fetching-remote-default-git-branches/66040

https://github.com/advisories/GHSA-q64h-39hv-4cf7

https://github.com/hashicorp/go-getter/commit/268c11cae8cf0d9374783e06572679796abe9ce9

https://vuln.go.dev/ID/GO-2024-2800.json

Summary

2.08k

Total packages affected

Packages with at least one version that is affected by the advisory or has an affected dependency.

480

Packages with a known fix

Packages with versions affected by the advisory that have a greater version that is not affected.

0.16%

Total ecosystem affected

The proportion of packages in the ecosystem that are affected by the advisory (fixed or not).

github.com/hashicorp/go-getter

Affected Version: Introduced: 1.5.9, Fixed: 1.7.4

Patched/Unaffected

v0.0.0-20170207215532-c3d66e76678d

August 23, 2019

v0.0.0-20170504171234-90b6568eac83

October 15, 2019

v0.0.0-20170914154444-56c651a79a6e

October 25, 2019

v0.0.0-20170922192948-a686900cb375

July 20, 2019

v0.0.0-20171007181130-2f449c791e6a

October 9, 2019

v0.0.0-20171204192826-994f50a6f071

April 18, 2019

v0.0.0-20180109202350-961f56d2e933

October 22, 2019

v0.0.0-20180123174312-285374cdfad6

September 4, 2019

v0.0.0-20180226183729-64040d90d4ab

June 4, 2019

v0.0.0-20180327010114-90bb99a48d86

April 23, 2019

v0.0.0-20180425224130-3f60ec5cfbb2

April 18, 2019

v0.0.0-20180709183828-a33f09ce9fee

September 23, 2019

v0.0.0-20180809191950-4bda8fa99001

June 4, 2019

v0.0.0-20181108020118-b6e1d7a3a787

September 10, 2019

v0.0.0-20181119194526-bd1edc22f8ea

April 25, 2019

v0.0.0-20181213035916-be39683deade

June 14, 2019

v0.0.0-20190112230949-c68364a1fae1

June 5, 2019

June 13, 2019

June 13, 2019

May 17, 2019

June 12, 2019

April 25, 2019

April 23, 2019

v1.2.1-0.20190326194518-69dec094fde6

February 9, 2020

May 14, 2019

v1.3.1-0.20190627223108-da0323b9545e

July 1, 2019

v1.3.1-0.20190822194507-f5101da01173

September 2, 2019

v1.3.1-0.20190906090232-a0f878cb75da

September 6, 2019

September 9, 2019

January 6, 2020

v1.4.2-0.20200106182914-9813cbd4eb02

January 6, 2020

September 16, 2020

September 29, 2020

November 12, 2020

January 7, 2021

March 31, 2021

June 17, 2021

June 30, 2021

July 26, 2021

August 9, 2021

September 7, 2021

April 15, 2024

June 21, 2024

August 14, 2024

January 9, 2025

v1.7.8-0.19700101000000-f7836fb97529

January 14, 2025

Affected

October 10, 2023

July 26, 2023

March 14, 2023

February 13, 2023

June 13, 2022

May 19, 2022

May 18, 2022

January 10, 2022

December 22, 2021

October 4, 2021

This site uses cookies from Google to deliver its services and to analyze traffic.