vulndb
vulndb copied to clipboard
golang
x/vulndb: potential Go vuln in github.com/hashicorp/go-getter
Acknowledgement
- [X] The maintainer(s) of the affected project have already been made aware of this vulnerability.
Description
An issue with the hashicorp/go-getter package has been reported by Hashicorp itself: https://discuss.hashicorp.com/t/hcsec-2024-09-hashicorp-go-getter-vulnerable-to-argument-injection-when-fetching-remote-default-git-branches/66040 on 17. April, tracked under CVE-2024-3817
At the time of writing, the most recent vulnerability in the go vulndb for github.com/hashicorp/go-getter was GO-2023-1578, which is from 2023.
Hence this report to add the vulnerability to the database as well.
Carbon copy from the description in the report
Summary HashiCorp’s go-getter library is vulnerable to argument injection when executing Git to discover remote branches. This vulnerability, CVE-2024-3817, is fixed in go-getter 1.7.4.
This vulnerability does not affect the go-getter/v2 branch and package.
Background HashiCorp’s go-getter 16 is a library for Go for downloading files or directories from various sources using a URL as the primary form of input.
Details When go-getter is performing a Git operation, go-getter will try to clone the given repository. If a Git reference is not passed along with the Git url, go-getter will then try to check the remote repository’s HEAD reference of its default branch by passing arguments to the Git binary on the host it is executing on.
An attacker may format a Git URL in order to inject additional Git arguments to the Git call.
Affected Modules, Packages, Versions and Symbols
Module: github.com/hashicorp/go-getter
Versions:
- Introduced: 1.5.9
- Fixed: 1.7.4
CVE/GHSA ID
CVE-2024-3817
Fix Commit or Pull Request
No response
References
- https://discuss.hashicorp.com/t/hcsec-2024-09-hashicorp-go-getter-vulnerable-to-argument-injection-when-fetching-remote-default-git-branches/66040
Additional information
No response
