-
Notifications
You must be signed in to change notification settings - Fork 58
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Aliases: CVE-2024-3817, GHSA-q64h-39hv-4cf7 Fixes #2800 Updates #2738 Change-Id: Ied6424dde63b681ba7d67bf041eefe73658b6428 Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/584756 Auto-Submit: Tatiana Bradley <tatianabradley@google.com> Reviewed-by: Damien Neil <dneil@google.com> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
- Loading branch information
Showing
2 changed files
with
113 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,70 @@ | ||
{ | ||
"schema_version": "1.3.1", | ||
"id": "GO-2024-2800", | ||
"modified": "0001-01-01T00:00:00Z", | ||
"published": "0001-01-01T00:00:00Z", | ||
"aliases": [ | ||
"CVE-2024-3817", | ||
"GHSA-q64h-39hv-4cf7" | ||
], | ||
"summary": "Argument injection when fetching remote default Git branches in github.com/hashicorp/go-getter", | ||
"details": "When go-getter is performing a Git operation, go-getter will try to clone the given repository. If a Git reference is not passed along with the Git url, go-getter will then try to check the remote repository's HEAD reference of its default branch by passing arguments to the Git binary on the host it is executing on.\n\nAn attacker may format a Git URL in order to inject additional Git arguments to the Git call.", | ||
"affected": [ | ||
{ | ||
"package": { | ||
"name": "github.com/hashicorp/go-getter", | ||
"ecosystem": "Go" | ||
}, | ||
"ranges": [ | ||
{ | ||
"type": "SEMVER", | ||
"events": [ | ||
{ | ||
"introduced": "1.5.9" | ||
}, | ||
{ | ||
"fixed": "1.7.4" | ||
} | ||
] | ||
} | ||
], | ||
"ecosystem_specific": { | ||
"imports": [ | ||
{ | ||
"path": "github.com/hashicorp/go-getter", | ||
"symbols": [ | ||
"Client.ChecksumFromFile", | ||
"Client.Get", | ||
"FolderStorage.Get", | ||
"Get", | ||
"GetAny", | ||
"GetFile", | ||
"GitGetter.Get", | ||
"GitGetter.GetFile", | ||
"GitGetter.clone", | ||
"HttpGetter.Get", | ||
"findRemoteDefaultBranch" | ||
] | ||
} | ||
] | ||
} | ||
} | ||
], | ||
"references": [ | ||
{ | ||
"type": "ADVISORY", | ||
"url": "https://github.com/advisories/GHSA-q64h-39hv-4cf7" | ||
}, | ||
{ | ||
"type": "FIX", | ||
"url": "https://github.com/hashicorp/go-getter/commit/268c11cae8cf0d9374783e06572679796abe9ce9" | ||
}, | ||
{ | ||
"type": "WEB", | ||
"url": "https://discuss.hashicorp.com/t/hcsec-2024-09-hashicorp-go-getter-vulnerable-to-argument-injection-when-fetching-remote-default-git-branches/66040" | ||
} | ||
], | ||
"database_specific": { | ||
"url": "https://pkg.go.dev/vuln/GO-2024-2800" | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,43 @@ | ||
id: GO-2024-2800 | ||
modules: | ||
- module: github.com/hashicorp/go-getter | ||
versions: | ||
- introduced: 1.5.9 | ||
fixed: 1.7.4 | ||
vulnerable_at: 1.7.3 | ||
packages: | ||
- package: github.com/hashicorp/go-getter | ||
symbols: | ||
- GitGetter.clone | ||
- findRemoteDefaultBranch | ||
derived_symbols: | ||
- Client.ChecksumFromFile | ||
- Client.Get | ||
- FolderStorage.Get | ||
- Get | ||
- GetAny | ||
- GetFile | ||
- GitGetter.Get | ||
- GitGetter.GetFile | ||
- HttpGetter.Get | ||
summary: Argument injection when fetching remote default Git branches in github.com/hashicorp/go-getter | ||
description: |- | ||
When go-getter is performing a Git operation, go-getter will try to clone the | ||
given repository. If a Git reference is not passed along with the Git url, | ||
go-getter will then try to check the remote repository's HEAD reference of its | ||
default branch by passing arguments to the Git binary on the host it is | ||
executing on. | ||
An attacker may format a Git URL in order to inject additional Git arguments to | ||
the Git call. | ||
cves: | ||
- CVE-2024-3817 | ||
ghsas: | ||
- GHSA-q64h-39hv-4cf7 | ||
references: | ||
- advisory: https://github.com/advisories/GHSA-q64h-39hv-4cf7 | ||
- fix: https://github.com/hashicorp/go-getter/commit/268c11cae8cf0d9374783e06572679796abe9ce9 | ||
- web: https://discuss.hashicorp.com/t/hcsec-2024-09-hashicorp-go-getter-vulnerable-to-argument-injection-when-fetching-remote-default-git-branches/66040 | ||
source: | ||
id: GHSA-q64h-39hv-4cf7 | ||
created: 2024-05-10T15:59:32.195034-04:00 |