Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

x/vulndb: potential Go vuln in github.com/hashicorp/go-getter: GHSA-xfhp-jf8p-mh5w #2948

Closed
GoVulnBot opened this issue Jun 25, 2024 · 1 comment
Closed

x/vulndb: potential Go vuln in github.com/hashicorp/go-getter: GHSA-xfhp-jf8p-mh5w #2948

GoVulnBot opened this issue Jun 25, 2024 · 1 comment
Assignees
@timothy-king
Labels
high priority NeedsReport triaged

Comments

@GoVulnBot
Copy link

Advisory GHSA-xfhp-jf8p-mh5w references a vulnerability in the following Go modules:

Module
github.com/hashicorp/go-getter

Description:
HashiCorp’s go-getter library can be coerced into executing Git update on an
existing maliciously modified Git Configuration, potentially leading to
arbitrary code execution. When go-getter is performing a Git operation,
go-getter will try to clone the given repository in a specified destination.
Cloning initializes a git config to the provided destination and if the
repository needs to get updated go-getter will pull the new changes .

An attacker may alter the Git config after the cloning step to set an arbitrary
Git configuration to achieve code execution.

References:

Cross references:

See doc/triage.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/hashicorp/go-getter
      versions:
        - fixed: 1.7.5
      vulnerable_at: 1.7.4
      packages:
        - package: github.com/hashicorp/go-getter
summary: |-
    HashiCorp go-getter Vulnerable to Code Execution On Git Update Via Git Config
    Manipulation in github.com/hashicorp/go-getter
cves:
    - CVE-2024-6257
ghsas:
    - GHSA-xfhp-jf8p-mh5w
references:
    - advisory: https://github.com/advisories/GHSA-xfhp-jf8p-mh5w
    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-6257
    - fix: https://github.com/hashicorp/go-getter/commit/268c11cae8cf0d9374783e06572679796abe9ce9
    - web: https://discuss.hashicorp.com/t/hcsec-2024-13-hashicorp-go-getter-vulnerable-to-code-execution-on-git-update-via-git-config-manipulation/68081
source:
    id: GHSA-xfhp-jf8p-mh5w
    created: 2024-06-25T21:01:24.859691636Z
review_status: UNREVIEWED
@timothy-king timothy-king self-assigned this Jun 26, 2024
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/595255 mentions this issue: data/reports: add GO-2024-2948

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@timothy-king timothy-king

Labels
high priority NeedsReport triaged
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@timothy-king @tatianab @gopherbot @GoVulnBot