Lucene search

Veracode Vulnerability DatabaseVERACODE:46566

HistoryApr 22, 2024 - 11:28 a.m.

Argument Injection

2024-04-2211:28:36

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

argument injection

git commands

branch discovery

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9.7 High

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

9.0%

JSON

github.com/hashicorp/go-getter library is vulnerable to Argument Injection. The vulnerability is due to improper handling of user input in the file get_git.go, which allows for the injection of malicious arguments into Git commands during branch discovery.

CPENameOperatorVersion
github.com/hashicorp/go-getterlev1.7.3
github.com/hashicorp/go-getterlev1.7.3

CPE	Name	Operator	Version
	github.com/hashicorp/go-getter	le	v1.7.3
	github.com/hashicorp/go-getter	le	v1.7.3

References

discuss.hashicorp.com/t/hcsec-2024-09-hashicorp-go-getter-vulnerable-to-argument-injection-when-fetching-remote-default-git-branches/66040

github.com/advisories/GHSA-q64h-39hv-4cf7

github.com/hashicorp/go-getter/commit/268c11cae8cf0d9374783e06572679796abe9ce9

github.com/hashicorp/go-getter/pull/483

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9.7 High

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

9.0%

JSON

Related for VERACODE:46566