github-actions[bot]
commented
5 days ago Hey!
Your images are ready:
ghcr.io/openclarity/vmclarity-apiserver-dev:pr1852-7c855a59b7c670072908acaf2939b7ee787aa8daghcr.io/openclarity/vmclarity-cli-dev:pr1852-7c855a59b7c670072908acaf2939b7ee787aa8daghcr.io/openclarity/vmclarity-cr-discovery-server-dev:pr1852-7c855a59b7c670072908acaf2939b7ee787aa8daghcr.io/openclarity/vmclarity-orchestrator-dev:pr1852-7c855a59b7c670072908acaf2939b7ee787aa8daghcr.io/openclarity/vmclarity-plugin-kics-dev:pr1852-7c855a59b7c670072908acaf2939b7ee787aa8daghcr.io/openclarity/vmclarity-ui-dev:pr1852-7c855a59b7c670072908acaf2939b7ee787aa8daghcr.io/openclarity/vmclarity-ui-backend-dev:pr1852-7c855a59b7c670072908acaf2939b7ee787aa8da
This PR contains the following updates:
v1.7.4->v1.7.5GitHub Vulnerability Alerts
CVE-2024-6257
HashiCorp’s go-getter library can be coerced into executing Git update on an existing maliciously modified Git Configuration, potentially leading to arbitrary code execution. When go-getter is performing a Git operation, go-getter will try to clone the given repository in a specified destination. Cloning initializes a git config to the provided destination and if the repository needs to get updated go-getter will pull the new changes .
An attacker may alter the Git config after the cloning step to set an arbitrary Git configuration to achieve code execution.
Code Execution on Git update in github.com/hashicorp/go-getter
CGA-grwc-xwh5-vfhw / CGA-p58v-7jgp-wxgq / CVE-2024-6257 / GHSA-xfhp-jf8p-mh5w / GO-2024-2948
More information
#### Details A crafted request can execute Git update on an existing maliciously modified Git Configuration. This can potentially lead to arbitrary code execution. When performing a Git operation, the library will try to clone the given repository to a specified destination. Cloning initializes a git config in the provided destination. An attacker may alter the Git config after the cloning step to set an arbitrary Git configuration to achieve code execution. #### Severity Unknown #### References - [https://github.com/advisories/GHSA-xfhp-jf8p-mh5w](https://togithub.com/advisories/GHSA-xfhp-jf8p-mh5w) - [https://github.com/hashicorp/go-getter/commit/268c11cae8cf0d9374783e06572679796abe9ce9](https://togithub.com/hashicorp/go-getter/commit/268c11cae8cf0d9374783e06572679796abe9ce9) - [https://discuss.hashicorp.com/t/hcsec-2024-13-hashicorp-go-getter-vulnerable-to-code-execution-on-git-update-via-git-config-manipulation/68081](https://discuss.hashicorp.com/t/hcsec-2024-13-hashicorp-go-getter-vulnerable-to-code-execution-on-git-update-via-git-config-manipulation/68081) This data is provided by [OSV](https://osv.dev/vulnerability/GO-2024-2948) and the [Go Vulnerability Database](https://togithub.com/golang/vulndb) ([CC-BY 4.0](https://togithub.com/golang/vulndb#license)).HashiCorp go-getter Vulnerable to Code Execution On Git Update Via Git Config Manipulation
CGA-grwc-xwh5-vfhw / CGA-p58v-7jgp-wxgq / CVE-2024-6257 / GHSA-xfhp-jf8p-mh5w / GO-2024-2948
More information
#### Details HashiCorp’s go-getter library can be coerced into executing Git update on an existing maliciously modified Git Configuration, potentially leading to arbitrary code execution. When go-getter is performing a Git operation, go-getter will try to clone the given repository in a specified destination. Cloning initializes a git config to the provided destination and if the repository needs to get updated go-getter will pull the new changes . An attacker may alter the Git config after the cloning step to set an arbitrary Git configuration to achieve code execution. #### Severity - CVSS Score: 8.4 / 10 (High) - Vector String: `CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H` #### References - [https://nvd.nist.gov/vuln/detail/CVE-2024-6257](https://nvd.nist.gov/vuln/detail/CVE-2024-6257) - [https://github.com/hashicorp/go-getter/commit/268c11cae8cf0d9374783e06572679796abe9ce9](https://togithub.com/hashicorp/go-getter/commit/268c11cae8cf0d9374783e06572679796abe9ce9) - [https://discuss.hashicorp.com/t/hcsec-2024-13-hashicorp-go-getter-vulnerable-to-code-execution-on-git-update-via-git-config-manipulation/68081](https://discuss.hashicorp.com/t/hcsec-2024-13-hashicorp-go-getter-vulnerable-to-code-execution-on-git-update-via-git-config-manipulation/68081) - [https://github.com/advisories/GHSA-xfhp-jf8p-mh5w](https://togithub.com/advisories/GHSA-xfhp-jf8p-mh5w) - [https://github.com/hashicorp/go-getter](https://togithub.com/hashicorp/go-getter) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-xfhp-jf8p-mh5w) and the [GitHub Advisory Database](https://togithub.com/github/advisory-database) ([CC-BY 4.0](https://togithub.com/github/advisory-database/blob/main/LICENSE.md)).Release Notes
hashicorp/go-getter (github.com/hashicorp/go-getter)
### [`v1.7.5`](https://togithub.com/hashicorp/go-getter/releases/tag/v1.7.5) [Compare Source](https://togithub.com/hashicorp/go-getter/compare/v1.7.4...v1.7.5) #### What's Changed - Prevent Git Config Alteration on Git Update by [@dduzgun-security](https://togithub.com/dduzgun-security) in [https://github.com/hashicorp/go-getter/pull/497](https://togithub.com/hashicorp/go-getter/pull/497) #### New Contributors - [@dduzgun-security](https://togithub.com/dduzgun-security) made their first contribution in [https://github.com/hashicorp/go-getter/pull/497](https://togithub.com/hashicorp/go-getter/pull/497) **Full Changelog**: https://github.com/hashicorp/go-getter/compare/v1.7.4...v1.7.5Configuration
📅 Schedule: Branch creation - "" in timezone Etc/UTC, Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.