When go-getter is performing a Git operation, go-getter will try to clone the given repository. If a Git reference is not passed along with the Git url, go-getter will then try to check the remote repository’s HEAD reference of its default branch by passing arguments to the Git binary on the host it is executing on.
An attacker may format a Git URL in order to inject additional Git arguments to the Git call.
Consumers of the go-getter library should evaluate the risk associated with these issues in the context of their go-getter usage and upgrade go-getter to 1.7.4 or later.
HashiCorp’s go-getter library can be coerced into executing Git update on an existing maliciously modified Git Configuration, potentially leading to arbitrary code execution. When go-getter is performing a Git operation, go-getter will try to clone the given repository in a specified destination. Cloning initializes a git config to the provided destination and if the repository needs to get updated go-getter will pull the new changes .
An attacker may alter the Git config after the cloning step to set an arbitrary Git configuration to achieve code execution.
HashiCorp go-getter Vulnerable to Argument Injection When Fetching Remote Default Git Branches
More information
#### Details
When go-getter is performing a Git operation, go-getter will try to clone the given repository. If a Git reference is not passed along with the Git url, go-getter will then try to check the remote repository’s HEAD reference of its default branch by passing arguments to the Git binary on the host it is executing on.
An attacker may format a Git URL in order to inject additional Git arguments to the Git call.
Consumers of the go-getter library should evaluate the risk associated with these issues in the context of their go-getter usage and upgrade go-getter to 1.7.4 or later.
#### Severity
- CVSS Score: 9.8 / 10 (Critical)
- Vector String: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`
#### References
- [https://nvd.nist.gov/vuln/detail/CVE-2024-3817](https://nvd.nist.gov/vuln/detail/CVE-2024-3817)
- [https://github.com/hashicorp/go-getter/commit/268c11cae8cf0d9374783e06572679796abe9ce9](https://togithub.com/hashicorp/go-getter/commit/268c11cae8cf0d9374783e06572679796abe9ce9)
- [https://discuss.hashicorp.com/t/hcsec-2024-09-hashicorp-go-getter-vulnerable-to-argument-injection-when-fetching-remote-default-git-branches/66040](https://discuss.hashicorp.com/t/hcsec-2024-09-hashicorp-go-getter-vulnerable-to-argument-injection-when-fetching-remote-default-git-branches/66040)
- [https://github.com/hashicorp/go-getter](https://togithub.com/hashicorp/go-getter)
This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-q64h-39hv-4cf7) and the [GitHub Advisory Database](https://togithub.com/github/advisory-database) ([CC-BY 4.0](https://togithub.com/github/advisory-database/blob/main/LICENSE.md)).
Argument injection when fetching remote default Git branches in github.com/hashicorp/go-getter
More information
#### Details
When go-getter is performing a Git operation, go-getter will try to clone the given repository. If a Git reference is not passed along with the Git url, go-getter will then try to check the remote repository's HEAD reference of its default branch by passing arguments to the Git binary on the host it is executing on.
An attacker may format a Git URL in order to inject additional Git arguments to the Git call.
#### Severity
Unknown
#### References
- [https://github.com/advisories/GHSA-q64h-39hv-4cf7](https://togithub.com/advisories/GHSA-q64h-39hv-4cf7)
- [https://github.com/hashicorp/go-getter/commit/268c11cae8cf0d9374783e06572679796abe9ce9](https://togithub.com/hashicorp/go-getter/commit/268c11cae8cf0d9374783e06572679796abe9ce9)
- [https://discuss.hashicorp.com/t/hcsec-2024-09-hashicorp-go-getter-vulnerable-to-argument-injection-when-fetching-remote-default-git-branches/66040](https://discuss.hashicorp.com/t/hcsec-2024-09-hashicorp-go-getter-vulnerable-to-argument-injection-when-fetching-remote-default-git-branches/66040)
This data is provided by [OSV](https://osv.dev/vulnerability/GO-2024-2800) and the [Go Vulnerability Database](https://togithub.com/golang/vulndb) ([CC-BY 4.0](https://togithub.com/golang/vulndb#license)).
HashiCorp go-getter Vulnerable to Code Execution On Git Update Via Git Config Manipulation
More information
#### Details
HashiCorp’s go-getter library can be coerced into executing Git update on an existing maliciously modified Git Configuration, potentially leading to arbitrary code execution. When go-getter is performing a Git operation, go-getter will try to clone the given repository in a specified destination. Cloning initializes a git config to the provided destination and if the repository needs to get updated go-getter will pull the new changes .
An attacker may alter the Git config after the cloning step to set an arbitrary Git configuration to achieve code execution.
#### Severity
- CVSS Score: 8.4 / 10 (High)
- Vector String: `CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H`
#### References
- [https://nvd.nist.gov/vuln/detail/CVE-2024-6257](https://nvd.nist.gov/vuln/detail/CVE-2024-6257)
- [https://github.com/hashicorp/go-getter/commit/268c11cae8cf0d9374783e06572679796abe9ce9](https://togithub.com/hashicorp/go-getter/commit/268c11cae8cf0d9374783e06572679796abe9ce9)
- [https://discuss.hashicorp.com/t/hcsec-2024-13-hashicorp-go-getter-vulnerable-to-code-execution-on-git-update-via-git-config-manipulation/68081](https://discuss.hashicorp.com/t/hcsec-2024-13-hashicorp-go-getter-vulnerable-to-code-execution-on-git-update-via-git-config-manipulation/68081)
- [https://github.com/advisories/GHSA-xfhp-jf8p-mh5w](https://togithub.com/advisories/GHSA-xfhp-jf8p-mh5w)
- [https://github.com/hashicorp/go-getter](https://togithub.com/hashicorp/go-getter)
This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-xfhp-jf8p-mh5w) and the [GitHub Advisory Database](https://togithub.com/github/advisory-database) ([CC-BY 4.0](https://togithub.com/github/advisory-database/blob/main/LICENSE.md)).
Code Execution on Git update in github.com/hashicorp/go-getter
More information
#### Details
A crafted request can execute Git update on an existing maliciously modified Git Configuration. This can potentially lead to arbitrary code execution. When performing a Git operation, the library will try to clone the given repository to a specified destination. Cloning initializes a git config in the provided destination. An attacker may alter the Git config after the cloning step to set an arbitrary Git configuration to achieve code execution.
#### Severity
Unknown
#### References
- [https://github.com/advisories/GHSA-xfhp-jf8p-mh5w](https://togithub.com/advisories/GHSA-xfhp-jf8p-mh5w)
- [https://github.com/hashicorp/go-getter/commit/268c11cae8cf0d9374783e06572679796abe9ce9](https://togithub.com/hashicorp/go-getter/commit/268c11cae8cf0d9374783e06572679796abe9ce9)
- [https://discuss.hashicorp.com/t/hcsec-2024-13-hashicorp-go-getter-vulnerable-to-code-execution-on-git-update-via-git-config-manipulation/68081](https://discuss.hashicorp.com/t/hcsec-2024-13-hashicorp-go-getter-vulnerable-to-code-execution-on-git-update-via-git-config-manipulation/68081)
This data is provided by [OSV](https://osv.dev/vulnerability/GO-2024-2948) and the [Go Vulnerability Database](https://togithub.com/golang/vulndb) ([CC-BY 4.0](https://togithub.com/golang/vulndb#license)).
Release Notes
hashicorp/go-getter (github.com/hashicorp/go-getter)
### [`v1.7.5`](https://togithub.com/hashicorp/go-getter/releases/tag/v1.7.5)
[Compare Source](https://togithub.com/hashicorp/go-getter/compare/v1.7.4...v1.7.5)
#### What's Changed
- Prevent Git Config Alteration on Git Update by [@dduzgun-security](https://togithub.com/dduzgun-security) in [https://github.com/hashicorp/go-getter/pull/497](https://togithub.com/hashicorp/go-getter/pull/497)
#### New Contributors
- [@dduzgun-security](https://togithub.com/dduzgun-security) made their first contribution in [https://github.com/hashicorp/go-getter/pull/497](https://togithub.com/hashicorp/go-getter/pull/497)
**Full Changelog**: https://github.com/hashicorp/go-getter/compare/v1.7.4...v1.7.5
### [`v1.7.4`](https://togithub.com/hashicorp/go-getter/releases/tag/v1.7.4)
[Compare Source](https://togithub.com/hashicorp/go-getter/compare/v1.7.3...v1.7.4)
#### What's Changed
- Escape user-provided strings in `git` commands [https://github.com/hashicorp/go-getter/pull/483](https://togithub.com/hashicorp/go-getter/pull/483)
- Fixed a bug in `.netrc` handling if the file does not exist [https://github.com/hashicorp/go-getter/pull/433](https://togithub.com/hashicorp/go-getter/pull/433)
**Full Changelog**: https://github.com/hashicorp/go-getter/compare/v1.7.3...v1.7.4
### [`v1.7.3`](https://togithub.com/hashicorp/go-getter/releases/tag/v1.7.3)
[Compare Source](https://togithub.com/hashicorp/go-getter/compare/v1.7.2...v1.7.3)
#### What's Changed
- SEC-090: Automated trusted workflow pinning (2023-04-21) by [@hashicorp-tsccr](https://togithub.com/hashicorp-tsccr) in [https://github.com/hashicorp/go-getter/pull/432](https://togithub.com/hashicorp/go-getter/pull/432)
- SEC-090: Automated trusted workflow pinning (2023-09-11) by [@hashicorp-tsccr](https://togithub.com/hashicorp-tsccr) in [https://github.com/hashicorp/go-getter/pull/454](https://togithub.com/hashicorp/go-getter/pull/454)
- SEC-090: Automated trusted workflow pinning (2023-09-18) by [@hashicorp-tsccr](https://togithub.com/hashicorp-tsccr) in [https://github.com/hashicorp/go-getter/pull/458](https://togithub.com/hashicorp/go-getter/pull/458)
- don't change GIT_SSH_COMMAND when there is no sshKeyFile by [@jbardin](https://togithub.com/jbardin) in [https://github.com/hashicorp/go-getter/pull/459](https://togithub.com/hashicorp/go-getter/pull/459)
#### New Contributors
- [@hashicorp-tsccr](https://togithub.com/hashicorp-tsccr) made their first contribution in [https://github.com/hashicorp/go-getter/pull/432](https://togithub.com/hashicorp/go-getter/pull/432)
**Full Changelog**: https://github.com/hashicorp/go-getter/compare/v1.7.2...v1.7.3
### [`v1.7.2`](https://togithub.com/hashicorp/go-getter/releases/tag/v1.7.2)
[Compare Source](https://togithub.com/hashicorp/go-getter/compare/v1.7.1...v1.7.2)
#### What's Changed
- Don't override `GIT_SSH_COMMAND` when not needed by [@nl-brett-stime](https://togithub.com/nl-brett-stime) [https://github.com/hashicorp/go-getter/pull/300](https://togithub.com/hashicorp/go-getter/pull/300)
**Full Changelog**: https://github.com/hashicorp/go-getter/compare/v1.7.1...v1.7.2
### [`v1.7.1`](https://togithub.com/hashicorp/go-getter/compare/v1.7.0...v1.7.1)
[Compare Source](https://togithub.com/hashicorp/go-getter/compare/v1.7.0...v1.7.1)
Configuration
đź“… Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Enabled.
â™» Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
[ ] If you want to rebase/retry this PR, check this box
This PR has been generated by Mend Renovate. View repository job log here.
This PR contains the following updates:
v1.7.0
->v1.7.5
GitHub Vulnerability Alerts
CVE-2024-3817
When go-getter is performing a Git operation, go-getter will try to clone the given repository. If a Git reference is not passed along with the Git url, go-getter will then try to check the remote repository’s HEAD reference of its default branch by passing arguments to the Git binary on the host it is executing on.
An attacker may format a Git URL in order to inject additional Git arguments to the Git call.
Consumers of the go-getter library should evaluate the risk associated with these issues in the context of their go-getter usage and upgrade go-getter to 1.7.4 or later.
CVE-2024-6257
HashiCorp’s go-getter library can be coerced into executing Git update on an existing maliciously modified Git Configuration, potentially leading to arbitrary code execution. When go-getter is performing a Git operation, go-getter will try to clone the given repository in a specified destination. Cloning initializes a git config to the provided destination and if the repository needs to get updated go-getter will pull the new changes .
An attacker may alter the Git config after the cloning step to set an arbitrary Git configuration to achieve code execution.
HashiCorp go-getter Vulnerable to Argument Injection When Fetching Remote Default Git Branches
CVE-2024-3817 / GHSA-q64h-39hv-4cf7 / GO-2024-2800
More information
#### Details When go-getter is performing a Git operation, go-getter will try to clone the given repository. If a Git reference is not passed along with the Git url, go-getter will then try to check the remote repository’s HEAD reference of its default branch by passing arguments to the Git binary on the host it is executing on. An attacker may format a Git URL in order to inject additional Git arguments to the Git call. Consumers of the go-getter library should evaluate the risk associated with these issues in the context of their go-getter usage and upgrade go-getter to 1.7.4 or later. #### Severity - CVSS Score: 9.8 / 10 (Critical) - Vector String: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H` #### References - [https://nvd.nist.gov/vuln/detail/CVE-2024-3817](https://nvd.nist.gov/vuln/detail/CVE-2024-3817) - [https://github.com/hashicorp/go-getter/commit/268c11cae8cf0d9374783e06572679796abe9ce9](https://togithub.com/hashicorp/go-getter/commit/268c11cae8cf0d9374783e06572679796abe9ce9) - [https://discuss.hashicorp.com/t/hcsec-2024-09-hashicorp-go-getter-vulnerable-to-argument-injection-when-fetching-remote-default-git-branches/66040](https://discuss.hashicorp.com/t/hcsec-2024-09-hashicorp-go-getter-vulnerable-to-argument-injection-when-fetching-remote-default-git-branches/66040) - [https://github.com/hashicorp/go-getter](https://togithub.com/hashicorp/go-getter) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-q64h-39hv-4cf7) and the [GitHub Advisory Database](https://togithub.com/github/advisory-database) ([CC-BY 4.0](https://togithub.com/github/advisory-database/blob/main/LICENSE.md)).Argument injection when fetching remote default Git branches in github.com/hashicorp/go-getter
CVE-2024-3817 / GHSA-q64h-39hv-4cf7 / GO-2024-2800
More information
#### Details When go-getter is performing a Git operation, go-getter will try to clone the given repository. If a Git reference is not passed along with the Git url, go-getter will then try to check the remote repository's HEAD reference of its default branch by passing arguments to the Git binary on the host it is executing on. An attacker may format a Git URL in order to inject additional Git arguments to the Git call. #### Severity Unknown #### References - [https://github.com/advisories/GHSA-q64h-39hv-4cf7](https://togithub.com/advisories/GHSA-q64h-39hv-4cf7) - [https://github.com/hashicorp/go-getter/commit/268c11cae8cf0d9374783e06572679796abe9ce9](https://togithub.com/hashicorp/go-getter/commit/268c11cae8cf0d9374783e06572679796abe9ce9) - [https://discuss.hashicorp.com/t/hcsec-2024-09-hashicorp-go-getter-vulnerable-to-argument-injection-when-fetching-remote-default-git-branches/66040](https://discuss.hashicorp.com/t/hcsec-2024-09-hashicorp-go-getter-vulnerable-to-argument-injection-when-fetching-remote-default-git-branches/66040) This data is provided by [OSV](https://osv.dev/vulnerability/GO-2024-2800) and the [Go Vulnerability Database](https://togithub.com/golang/vulndb) ([CC-BY 4.0](https://togithub.com/golang/vulndb#license)).HashiCorp go-getter Vulnerable to Code Execution On Git Update Via Git Config Manipulation
CGA-grwc-xwh5-vfhw / CGA-p58v-7jgp-wxgq / CVE-2024-6257 / GHSA-xfhp-jf8p-mh5w / GO-2024-2948
More information
#### Details HashiCorp’s go-getter library can be coerced into executing Git update on an existing maliciously modified Git Configuration, potentially leading to arbitrary code execution. When go-getter is performing a Git operation, go-getter will try to clone the given repository in a specified destination. Cloning initializes a git config to the provided destination and if the repository needs to get updated go-getter will pull the new changes . An attacker may alter the Git config after the cloning step to set an arbitrary Git configuration to achieve code execution. #### Severity - CVSS Score: 8.4 / 10 (High) - Vector String: `CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H` #### References - [https://nvd.nist.gov/vuln/detail/CVE-2024-6257](https://nvd.nist.gov/vuln/detail/CVE-2024-6257) - [https://github.com/hashicorp/go-getter/commit/268c11cae8cf0d9374783e06572679796abe9ce9](https://togithub.com/hashicorp/go-getter/commit/268c11cae8cf0d9374783e06572679796abe9ce9) - [https://discuss.hashicorp.com/t/hcsec-2024-13-hashicorp-go-getter-vulnerable-to-code-execution-on-git-update-via-git-config-manipulation/68081](https://discuss.hashicorp.com/t/hcsec-2024-13-hashicorp-go-getter-vulnerable-to-code-execution-on-git-update-via-git-config-manipulation/68081) - [https://github.com/advisories/GHSA-xfhp-jf8p-mh5w](https://togithub.com/advisories/GHSA-xfhp-jf8p-mh5w) - [https://github.com/hashicorp/go-getter](https://togithub.com/hashicorp/go-getter) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-xfhp-jf8p-mh5w) and the [GitHub Advisory Database](https://togithub.com/github/advisory-database) ([CC-BY 4.0](https://togithub.com/github/advisory-database/blob/main/LICENSE.md)).Code Execution on Git update in github.com/hashicorp/go-getter
CGA-grwc-xwh5-vfhw / CGA-p58v-7jgp-wxgq / CVE-2024-6257 / GHSA-xfhp-jf8p-mh5w / GO-2024-2948
More information
#### Details A crafted request can execute Git update on an existing maliciously modified Git Configuration. This can potentially lead to arbitrary code execution. When performing a Git operation, the library will try to clone the given repository to a specified destination. Cloning initializes a git config in the provided destination. An attacker may alter the Git config after the cloning step to set an arbitrary Git configuration to achieve code execution. #### Severity Unknown #### References - [https://github.com/advisories/GHSA-xfhp-jf8p-mh5w](https://togithub.com/advisories/GHSA-xfhp-jf8p-mh5w) - [https://github.com/hashicorp/go-getter/commit/268c11cae8cf0d9374783e06572679796abe9ce9](https://togithub.com/hashicorp/go-getter/commit/268c11cae8cf0d9374783e06572679796abe9ce9) - [https://discuss.hashicorp.com/t/hcsec-2024-13-hashicorp-go-getter-vulnerable-to-code-execution-on-git-update-via-git-config-manipulation/68081](https://discuss.hashicorp.com/t/hcsec-2024-13-hashicorp-go-getter-vulnerable-to-code-execution-on-git-update-via-git-config-manipulation/68081) This data is provided by [OSV](https://osv.dev/vulnerability/GO-2024-2948) and the [Go Vulnerability Database](https://togithub.com/golang/vulndb) ([CC-BY 4.0](https://togithub.com/golang/vulndb#license)).Release Notes
hashicorp/go-getter (github.com/hashicorp/go-getter)
### [`v1.7.5`](https://togithub.com/hashicorp/go-getter/releases/tag/v1.7.5) [Compare Source](https://togithub.com/hashicorp/go-getter/compare/v1.7.4...v1.7.5) #### What's Changed - Prevent Git Config Alteration on Git Update by [@dduzgun-security](https://togithub.com/dduzgun-security) in [https://github.com/hashicorp/go-getter/pull/497](https://togithub.com/hashicorp/go-getter/pull/497) #### New Contributors - [@dduzgun-security](https://togithub.com/dduzgun-security) made their first contribution in [https://github.com/hashicorp/go-getter/pull/497](https://togithub.com/hashicorp/go-getter/pull/497) **Full Changelog**: https://github.com/hashicorp/go-getter/compare/v1.7.4...v1.7.5 ### [`v1.7.4`](https://togithub.com/hashicorp/go-getter/releases/tag/v1.7.4) [Compare Source](https://togithub.com/hashicorp/go-getter/compare/v1.7.3...v1.7.4) #### What's Changed - Escape user-provided strings in `git` commands [https://github.com/hashicorp/go-getter/pull/483](https://togithub.com/hashicorp/go-getter/pull/483) - Fixed a bug in `.netrc` handling if the file does not exist [https://github.com/hashicorp/go-getter/pull/433](https://togithub.com/hashicorp/go-getter/pull/433) **Full Changelog**: https://github.com/hashicorp/go-getter/compare/v1.7.3...v1.7.4 ### [`v1.7.3`](https://togithub.com/hashicorp/go-getter/releases/tag/v1.7.3) [Compare Source](https://togithub.com/hashicorp/go-getter/compare/v1.7.2...v1.7.3) #### What's Changed - SEC-090: Automated trusted workflow pinning (2023-04-21) by [@hashicorp-tsccr](https://togithub.com/hashicorp-tsccr) in [https://github.com/hashicorp/go-getter/pull/432](https://togithub.com/hashicorp/go-getter/pull/432) - SEC-090: Automated trusted workflow pinning (2023-09-11) by [@hashicorp-tsccr](https://togithub.com/hashicorp-tsccr) in [https://github.com/hashicorp/go-getter/pull/454](https://togithub.com/hashicorp/go-getter/pull/454) - SEC-090: Automated trusted workflow pinning (2023-09-18) by [@hashicorp-tsccr](https://togithub.com/hashicorp-tsccr) in [https://github.com/hashicorp/go-getter/pull/458](https://togithub.com/hashicorp/go-getter/pull/458) - don't change GIT_SSH_COMMAND when there is no sshKeyFile by [@jbardin](https://togithub.com/jbardin) in [https://github.com/hashicorp/go-getter/pull/459](https://togithub.com/hashicorp/go-getter/pull/459) #### New Contributors - [@hashicorp-tsccr](https://togithub.com/hashicorp-tsccr) made their first contribution in [https://github.com/hashicorp/go-getter/pull/432](https://togithub.com/hashicorp/go-getter/pull/432) **Full Changelog**: https://github.com/hashicorp/go-getter/compare/v1.7.2...v1.7.3 ### [`v1.7.2`](https://togithub.com/hashicorp/go-getter/releases/tag/v1.7.2) [Compare Source](https://togithub.com/hashicorp/go-getter/compare/v1.7.1...v1.7.2) #### What's Changed - Don't override `GIT_SSH_COMMAND` when not needed by [@nl-brett-stime](https://togithub.com/nl-brett-stime) [https://github.com/hashicorp/go-getter/pull/300](https://togithub.com/hashicorp/go-getter/pull/300) **Full Changelog**: https://github.com/hashicorp/go-getter/compare/v1.7.1...v1.7.2 ### [`v1.7.1`](https://togithub.com/hashicorp/go-getter/compare/v1.7.0...v1.7.1) [Compare Source](https://togithub.com/hashicorp/go-getter/compare/v1.7.0...v1.7.1)Configuration
đź“… Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Enabled.
â™» Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.