Lucene search

K
osvGoogleOSV:GO-2024-2948
HistoryJun 28, 2024 - 6:33 p.m.

Code Execution on Git update in github.com/hashicorp/go-getter

2024-06-2818:33:10
Google
osv.dev
2
git update
malicious modification
arbitrary code execution
library
cloning

8.4 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H

0.0004 Low

EPSS

Percentile

9.1%

A crafted request can execute Git update on an existing maliciously modified Git Configuration. This can potentially lead to arbitrary code execution. When performing a Git operation, the library will try to clone the given repository to a specified destination. Cloning initializes a git config in the provided destination. An attacker may alter the Git config after the cloning step to set an arbitrary Git configuration to achieve code execution.

CPENameOperatorVersion
github.com/hashicorp/go-getterlt1.7.5

8.4 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H

0.0004 Low

EPSS

Percentile

9.1%