blob: 8864f87abce6ee1d617fc438360f049182519b04 [file] [log] [blame]
{
"schema_version": "1.3.1",
"id": "GO-2024-2456",
"modified": "0001-01-01T00:00:00Z",
"published": "0001-01-01T00:00:00Z",
"aliases": [
"CVE-2023-49569",
"GHSA-449p-3h89-pw88"
],
"summary": "Path traversal and RCE in github.com/go-git/go-git/v5 and gopkg.in/src-d/go-git.v4",
"details": "Path traversal and RCE in github.com/go-git/go-git/v5 and gopkg.in/src-d/go-git.v4",
"affected": [
{
"package": {
"name": "gopkg.in/src-d/go-git.v4",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "4.7.1"
}
]
}
],
"ecosystem_specific": {}
},
{
"package": {
"name": "github.com/go-git/go-git/v5",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "5.0.0"
},
{
"fixed": "5.11.0"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "github.com/go-git/go-git/v5",
"symbols": [
"AddOptions.Validate",
"Blame",
"BlameResult.String",
"Clone",
"CloneContext",
"CommitOptions.Validate",
"CreateTagOptions.Validate",
"GrepOptions.Validate",
"GrepResult.String",
"Init",
"InitWithOptions",
"NoMatchingRefSpecError.Error",
"Open",
"PlainClone",
"PlainCloneContext",
"PlainInit",
"PlainInitWithOptions",
"PlainOpen",
"PlainOpenWithOptions",
"Remote.Fetch",
"Remote.FetchContext",
"Remote.List",
"Remote.ListContext",
"Remote.Push",
"Remote.PushContext",
"Remote.String",
"Repository.BlobObject",
"Repository.BlobObjects",
"Repository.Branch",
"Repository.Branches",
"Repository.CommitObject",
"Repository.CommitObjects",
"Repository.Config",
"Repository.ConfigScoped",
"Repository.CreateBranch",
"Repository.CreateRemote",
"Repository.CreateRemoteAnonymous",
"Repository.CreateTag",
"Repository.DeleteBranch",
"Repository.DeleteObject",
"Repository.DeleteRemote",
"Repository.DeleteTag",
"Repository.Fetch",
"Repository.FetchContext",
"Repository.Grep",
"Repository.Head",
"Repository.Log",
"Repository.Notes",
"Repository.Object",
"Repository.Objects",
"Repository.Prune",
"Repository.Push",
"Repository.PushContext",
"Repository.Reference",
"Repository.References",
"Repository.Remote",
"Repository.Remotes",
"Repository.RepackObjects",
"Repository.ResolveRevision",
"Repository.SetConfig",
"Repository.Tag",
"Repository.TagObject",
"Repository.TagObjects",
"Repository.Tags",
"Repository.TreeObject",
"Repository.TreeObjects",
"ResetOptions.Validate",
"Status.String",
"Submodule.Init",
"Submodule.Repository",
"Submodule.Status",
"Submodule.Update",
"Submodule.UpdateContext",
"SubmoduleStatus.String",
"Submodules.Init",
"Submodules.Status",
"Submodules.Update",
"Submodules.UpdateContext",
"SubmodulesStatus.String",
"Worktree.Add",
"Worktree.AddGlob",
"Worktree.AddWithOptions",
"Worktree.Checkout",
"Worktree.Clean",
"Worktree.Commit",
"Worktree.Grep",
"Worktree.Move",
"Worktree.Pull",
"Worktree.PullContext",
"Worktree.Remove",
"Worktree.RemoveGlob",
"Worktree.Reset",
"Worktree.ResetSparsely",
"Worktree.Status",
"Worktree.Submodule",
"Worktree.Submodules",
"Worktree.checkoutFileSymlink",
"Worktree.createBranch",
"buildTreeHelper.BuildTree",
"checkFastForwardUpdate",
"isFastForward"
]
},
{
"path": "github.com/go-git/go-git/v5/config",
"symbols": [
"Branch.Validate",
"Config.Unmarshal",
"Config.Validate",
"LoadConfig",
"ReadConfig",
"RemoteConfig.Validate"
]
},
{
"path": "github.com/go-git/go-git/v5/plumbing/object",
"symbols": [
"Commit.Stats",
"Commit.StatsContext",
"Patch.Stats",
"getFileStatsFromFilePatches"
]
},
{
"path": "github.com/go-git/go-git/v5/storage/filesystem",
"symbols": [
"ConfigStorage.Config",
"ConfigStorage.SetConfig",
"ModuleStorage.Module",
"NewStorage",
"NewStorageWithOptions",
"ObjectStorage.EncodedObject"
]
},
{
"path": "github.com/go-git/go-git/v5/storage/filesystem/dotgit",
"symbols": [
"DotGit.Alternates"
]
}
]
}
}
],
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-49569"
}
],
"credits": [
{
"name": "Ionut Lalu"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2024-2456",
"review_status": "REVIEWED"
}
}