Open mend-bolt-for-github[bot] opened 1 month ago
Package for downloading things from a string URL using a variety of protocols.
Library home page: https://proxy.golang.org/github.com/hashicorp/go-getter/@v/v1.7.4.zip
Path to dependency file: /test/go.mod
Path to vulnerable library: /go/pkg/mod/cache/download/github.com/hashicorp/go-getter/@v/v1.7.4.mod
Dependency Hierarchy: - github.com/gruntwork-io/terratest-v0.46.14 (Root Library) - :x: **github.com/hashicorp/go-getter-v1.7.4** (Vulnerable Library)
Found in base branch: master
HashiCorp’s go-getter library can be coerced into executing Git update on an existing maliciously modified Git Configuration, potentially leading to arbitrary code execution.
Publish Date: 2024-06-25
URL: CVE-2024-6257
Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: High - User Interaction: Required - Scope: Changed - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
Type: Upgrade version
Origin: https://discuss.hashicorp.com/t/hcsec-2024-13-hashicorp-go-getter-vulnerable-to-code-execution-on-git-update-via-git-config-manipulation/68081
Release Date: 2024-06-25
Fix Resolution: github.com/hashicorp/go-getter-v1.7.5
Step up your Open Source Security Game with Mend here
CVE-2024-6257 - High Severity Vulnerability
Vulnerable Library - github.com/hashicorp/go-getter-v1.7.4
Package for downloading things from a string URL using a variety of protocols.
Library home page: https://proxy.golang.org/github.com/hashicorp/go-getter/@v/v1.7.4.zip
Path to dependency file: /test/go.mod
Path to vulnerable library: /go/pkg/mod/cache/download/github.com/hashicorp/go-getter/@v/v1.7.4.mod
Dependency Hierarchy: - github.com/gruntwork-io/terratest-v0.46.14 (Root Library) - :x: **github.com/hashicorp/go-getter-v1.7.4** (Vulnerable Library)
Found in base branch: master
Vulnerability Details
HashiCorp’s go-getter library can be coerced into executing Git update on an existing maliciously modified Git Configuration, potentially leading to arbitrary code execution.
Publish Date: 2024-06-25
URL: CVE-2024-6257
CVSS 3 Score Details (8.4)
Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: High - User Interaction: Required - Scope: Changed - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://discuss.hashicorp.com/t/hcsec-2024-13-hashicorp-go-getter-vulnerable-to-code-execution-on-git-update-via-git-config-manipulation/68081
Release Date: 2024-06-25
Fix Resolution: github.com/hashicorp/go-getter-v1.7.5
Step up your Open Source Security Game with Mend here