Code Execution on Git update in github.com/hashicorp/go-getter

Overview

Source

ID

GO-2024-2948

Aliases

CVE-2024-6257

GHSA-xfhp-jf8p-mh5w

Affected package

github.com/hashicorp/go-getter

Description

A crafted request can execute Git update on an existing maliciously modified Git Configuration. This can potentially lead to arbitrary code execution. When performing a Git operation, the library will try to clone the given repository to a specified destination. Cloning initializes a git config in the provided destination. An attacker may alter the Git config after the cloning step to set an arbitrary Git configuration to achieve code execution.

Impact

Reference links

https://discuss.hashicorp.com/t/hcsec-2024-13-hashicorp-go-getter-vulnerable-to-code-execution-on-git-update-via-git-config-manipulation/68081

https://github.com/advisories/GHSA-xfhp-jf8p-mh5w

https://github.com/hashicorp/go-getter/commit/268c11cae8cf0d9374783e06572679796abe9ce9

https://vuln.go.dev/ID/GO-2024-2948.json

Summary

5.50k

Total packages affected

Packages with at least one version that is affected by the advisory or has an affected dependency.

932

Packages with a known fix

Packages with versions affected by the advisory that have a greater version that is not affected.

0.41%

Total ecosystem affected

The proportion of packages in the ecosystem that are affected by the advisory (fixed or not).

github.com/hashicorp/go-getter

Affected Version: Introduced: 0, Fixed: 1.7.5

Patched/Unaffected

June 21, 2024

August 14, 2024

January 9, 2025

v1.7.8-0.19700101000000-f7836fb97529

January 14, 2025

Affected

April 15, 2024

October 10, 2023

July 26, 2023

March 14, 2023

February 13, 2023

June 13, 2022

May 19, 2022

May 18, 2022

January 10, 2022

December 22, 2021

October 4, 2021

September 7, 2021

August 9, 2021

July 26, 2021

June 30, 2021

June 17, 2021

March 31, 2021

January 7, 2021

November 12, 2020

September 29, 2020

September 16, 2020

v1.4.2-0.20200106182914-9813cbd4eb02

January 6, 2020

January 6, 2020

September 9, 2019

v1.3.1-0.20190906090232-a0f878cb75da

September 6, 2019

v1.3.1-0.20190822194507-f5101da01173

September 2, 2019

v1.3.1-0.20190627223108-da0323b9545e

July 1, 2019

May 14, 2019

v1.2.1-0.20190326194518-69dec094fde6

February 9, 2020

April 23, 2019

April 25, 2019

June 12, 2019

May 17, 2019

June 13, 2019

June 13, 2019

v0.0.0-20190112230949-c68364a1fae1

June 5, 2019

v0.0.0-20181213035916-be39683deade

June 14, 2019

v0.0.0-20181119194526-bd1edc22f8ea

April 25, 2019

v0.0.0-20181108020118-b6e1d7a3a787

September 10, 2019

v0.0.0-20180809191950-4bda8fa99001

June 4, 2019

v0.0.0-20180709183828-a33f09ce9fee

September 23, 2019

v0.0.0-20180425224130-3f60ec5cfbb2

April 18, 2019

v0.0.0-20180327010114-90bb99a48d86

April 23, 2019

v0.0.0-20180226183729-64040d90d4ab

June 4, 2019

v0.0.0-20180123174312-285374cdfad6

September 4, 2019

v0.0.0-20180109202350-961f56d2e933

October 22, 2019

v0.0.0-20171204192826-994f50a6f071

April 18, 2019

v0.0.0-20171007181130-2f449c791e6a

October 9, 2019

v0.0.0-20170922192948-a686900cb375

July 20, 2019

v0.0.0-20170914154444-56c651a79a6e

October 25, 2019

v0.0.0-20170504171234-90b6568eac83

October 15, 2019

v0.0.0-20170207215532-c3d66e76678d

August 23, 2019

This site uses cookies from Google to deliver its services and to analyze traffic.