Lucene search

Veracode Vulnerability DatabaseVERACODE:47749

HistoryJun 26, 2024 - 6:23 a.m.

Command Injection

2024-06-2606:23:22

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

github.com/hashicorp/go-getter

command injection

git operations

git configuration

arbitrary code

vulnerability

8.4 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H

7.2 High

AI Score

Confidence

Low

JSON

github.com/hashicorp/go-getter is vulnerable to Command Injection. The vulnerability is caused by improper handling of arguments in Git operations within get_git.go. This allows attackers to manipulate the Git configuration and execute arbitrary code.

CPENameOperatorVersion
github.com/hashicorp/go-getterlev1.7.4
github.com/hashicorp/go-getterlev1.7.4

CPE	Name	Operator	Version
	github.com/hashicorp/go-getter	le	v1.7.4
	github.com/hashicorp/go-getter	le	v1.7.4

References

discuss.hashicorp.com/t/hcsec-2024-13-hashicorp-go-getter-vulnerable-to-code-execution-on-git-update-via-git-config-manipulation/68081

github.com/advisories/GHSA-xfhp-jf8p-mh5w

github.com/hashicorp/go-getter/commit/268c11cae8cf0d9374783e06572679796abe9ce9

8.4 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H

7.2 High

AI Score

Confidence

Low

JSON

Related for VERACODE:47749