blob: 973cc21aec6b8b3a644602a6e2c4fe79a4b4d185 [file] [log] [blame]
id: GO-2024-2800
modules:
- module: github.com/hashicorp/go-getter
versions:
- introduced: 1.5.9
fixed: 1.7.4
vulnerable_at: 1.7.3
packages:
- package: github.com/hashicorp/go-getter
symbols:
- GitGetter.clone
- findRemoteDefaultBranch
derived_symbols:
- Client.ChecksumFromFile
- Client.Get
- FolderStorage.Get
- Get
- GetAny
- GetFile
- GitGetter.Get
- GitGetter.GetFile
- HttpGetter.Get
summary: Argument injection when fetching remote default Git branches in github.com/hashicorp/go-getter
description: |-
When go-getter is performing a Git operation, go-getter will try to clone the
given repository. If a Git reference is not passed along with the Git url,
go-getter will then try to check the remote repository's HEAD reference of its
default branch by passing arguments to the Git binary on the host it is
executing on.
An attacker may format a Git URL in order to inject additional Git arguments to
the Git call.
cves:
- CVE-2024-3817
ghsas:
- GHSA-q64h-39hv-4cf7
references:
- advisory: https://github.com/advisories/GHSA-q64h-39hv-4cf7
- fix: https://github.com/hashicorp/go-getter/commit/268c11cae8cf0d9374783e06572679796abe9ce9
- web: https://discuss.hashicorp.com/t/hcsec-2024-09-hashicorp-go-getter-vulnerable-to-argument-injection-when-fetching-remote-default-git-branches/66040
source:
id: GHSA-q64h-39hv-4cf7
created: 2024-05-10T15:59:32.195034-04:00
review_status: REVIEWED