CVE-2023-49569 (Critical) detected in github.com/go-git/go-git/v5-v5.4.3-0.20210630082519-b4368b2a2ca4

[mend-bolt-for-github[bot]]

CVE-2023-49569 - Critical Severity Vulnerability

Vulnerable Library - github.com/go-git/go-git/v5-v5.4.3-0.20210630082519-b4368b2a2ca4

A highly extensible Git implementation in pure Go.

Library home page: https://proxy.golang.org/github.com/go-git/go-git/v5/@v/v5.4.3-0.20210630082519-b4368b2a2ca4.zip

Path to dependency file: /go.mod

Path to vulnerable library: /go.mod

Dependency Hierarchy: - :x: **github.com/go-git/go-git/v5-v5.4.3-0.20210630082519-b4368b2a2ca4** (Vulnerable Library)

Found in HEAD commit: 5a07ad71010693de12293f5ff1fadc890259b5e0

Found in base branch: main

Vulnerability Details

A path traversal vulnerability was discovered in go-git versions prior to v5.11. This vulnerability allows an attacker to create and amend files across the filesystem. In the worse case scenario, remote code execution could be achieved. Applications are only affected if they are using the ChrootOS https://pkg.go.dev/github.com/go-git/go-billy/v5/osfs#ChrootOS , which is the default when using "Plain" versions of Open and Clone funcs (e.g. PlainClone). Applications using BoundOS https://pkg.go.dev/github.com/go-git/go-billy/v5/osfs#BoundOS  or in-memory filesystems are not affected by this issue. This is a go-git implementation issue and does not affect the upstream git cli.

Publish Date: 2024-01-12

URL: CVE-2023-49569

CVSS 3 Score Details (9.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://github.com/go-git/go-git/security/advisories/GHSA-449p-3h89-pw88

Release Date: 2024-01-12

Fix Resolution: v5.11.0

---

Step up your Open Source Security Game with Mend here