When go-getter is performing a Git operation, go-getter will try to clone the given repository. If a Git reference is not passed along with the Git url, go-getter will then try to check the remote repository’s HEAD reference of its default branch by passing arguments to the Git binary on the host it is executing on.
An attacker may format a Git URL in order to inject additional Git arguments to the Git call.
Consumers of the go-getter library should evaluate the risk associated with these issues in the context of their go-getter usage and upgrade go-getter to 1.7.4 or later.
Release Notes
hashicorp/go-getter (github.com/hashicorp/go-getter)
### [`v1.7.4`](https://togithub.com/hashicorp/go-getter/releases/tag/v1.7.4)
[Compare Source](https://togithub.com/hashicorp/go-getter/compare/v1.7.3...v1.7.4)
#### What's Changed
- Escape user-provided strings in `git` commands [https://github.com/hashicorp/go-getter/pull/483](https://togithub.com/hashicorp/go-getter/pull/483)
- Fixed a bug in `.netrc` handling if the file does not exist [https://github.com/hashicorp/go-getter/pull/433](https://togithub.com/hashicorp/go-getter/pull/433)
**Full Changelog**: https://github.com/hashicorp/go-getter/compare/v1.7.3...v1.7.4
### [`v1.7.3`](https://togithub.com/hashicorp/go-getter/releases/tag/v1.7.3)
[Compare Source](https://togithub.com/hashicorp/go-getter/compare/v1.7.2...v1.7.3)
#### What's Changed
- SEC-090: Automated trusted workflow pinning (2023-04-21) by [@hashicorp-tsccr](https://togithub.com/hashicorp-tsccr) in [https://github.com/hashicorp/go-getter/pull/432](https://togithub.com/hashicorp/go-getter/pull/432)
- SEC-090: Automated trusted workflow pinning (2023-09-11) by [@hashicorp-tsccr](https://togithub.com/hashicorp-tsccr) in [https://github.com/hashicorp/go-getter/pull/454](https://togithub.com/hashicorp/go-getter/pull/454)
- SEC-090: Automated trusted workflow pinning (2023-09-18) by [@hashicorp-tsccr](https://togithub.com/hashicorp-tsccr) in [https://github.com/hashicorp/go-getter/pull/458](https://togithub.com/hashicorp/go-getter/pull/458)
- don't change GIT_SSH_COMMAND when there is no sshKeyFile by [@jbardin](https://togithub.com/jbardin) in [https://github.com/hashicorp/go-getter/pull/459](https://togithub.com/hashicorp/go-getter/pull/459)
#### New Contributors
- [@hashicorp-tsccr](https://togithub.com/hashicorp-tsccr) made their first contribution in [https://github.com/hashicorp/go-getter/pull/432](https://togithub.com/hashicorp/go-getter/pull/432)
**Full Changelog**: https://github.com/hashicorp/go-getter/compare/v1.7.2...v1.7.3
### [`v1.7.2`](https://togithub.com/hashicorp/go-getter/releases/tag/v1.7.2)
[Compare Source](https://togithub.com/hashicorp/go-getter/compare/v1.7.1...v1.7.2)
#### What's Changed
- Don't override `GIT_SSH_COMMAND` when not needed by [@nl-brett-stime](https://togithub.com/nl-brett-stime) [https://github.com/hashicorp/go-getter/pull/300](https://togithub.com/hashicorp/go-getter/pull/300)
**Full Changelog**: https://github.com/hashicorp/go-getter/compare/v1.7.1...v1.7.2
### [`v1.7.1`](https://togithub.com/hashicorp/go-getter/compare/v1.7.0...v1.7.1)
[Compare Source](https://togithub.com/hashicorp/go-getter/compare/v1.7.0...v1.7.1)
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
[ ] If you want to rebase/retry this PR, check this box
This PR has been generated by Mend Renovate. View repository job log here.
This PR contains the following updates:
v1.7.0
->v1.7.4
GitHub Vulnerability Alerts
CVE-2024-3817
When go-getter is performing a Git operation, go-getter will try to clone the given repository. If a Git reference is not passed along with the Git url, go-getter will then try to check the remote repository’s HEAD reference of its default branch by passing arguments to the Git binary on the host it is executing on.
An attacker may format a Git URL in order to inject additional Git arguments to the Git call.
Consumers of the go-getter library should evaluate the risk associated with these issues in the context of their go-getter usage and upgrade go-getter to 1.7.4 or later.
Release Notes
hashicorp/go-getter (github.com/hashicorp/go-getter)
### [`v1.7.4`](https://togithub.com/hashicorp/go-getter/releases/tag/v1.7.4) [Compare Source](https://togithub.com/hashicorp/go-getter/compare/v1.7.3...v1.7.4) #### What's Changed - Escape user-provided strings in `git` commands [https://github.com/hashicorp/go-getter/pull/483](https://togithub.com/hashicorp/go-getter/pull/483) - Fixed a bug in `.netrc` handling if the file does not exist [https://github.com/hashicorp/go-getter/pull/433](https://togithub.com/hashicorp/go-getter/pull/433) **Full Changelog**: https://github.com/hashicorp/go-getter/compare/v1.7.3...v1.7.4 ### [`v1.7.3`](https://togithub.com/hashicorp/go-getter/releases/tag/v1.7.3) [Compare Source](https://togithub.com/hashicorp/go-getter/compare/v1.7.2...v1.7.3) #### What's Changed - SEC-090: Automated trusted workflow pinning (2023-04-21) by [@hashicorp-tsccr](https://togithub.com/hashicorp-tsccr) in [https://github.com/hashicorp/go-getter/pull/432](https://togithub.com/hashicorp/go-getter/pull/432) - SEC-090: Automated trusted workflow pinning (2023-09-11) by [@hashicorp-tsccr](https://togithub.com/hashicorp-tsccr) in [https://github.com/hashicorp/go-getter/pull/454](https://togithub.com/hashicorp/go-getter/pull/454) - SEC-090: Automated trusted workflow pinning (2023-09-18) by [@hashicorp-tsccr](https://togithub.com/hashicorp-tsccr) in [https://github.com/hashicorp/go-getter/pull/458](https://togithub.com/hashicorp/go-getter/pull/458) - don't change GIT_SSH_COMMAND when there is no sshKeyFile by [@jbardin](https://togithub.com/jbardin) in [https://github.com/hashicorp/go-getter/pull/459](https://togithub.com/hashicorp/go-getter/pull/459) #### New Contributors - [@hashicorp-tsccr](https://togithub.com/hashicorp-tsccr) made their first contribution in [https://github.com/hashicorp/go-getter/pull/432](https://togithub.com/hashicorp/go-getter/pull/432) **Full Changelog**: https://github.com/hashicorp/go-getter/compare/v1.7.2...v1.7.3 ### [`v1.7.2`](https://togithub.com/hashicorp/go-getter/releases/tag/v1.7.2) [Compare Source](https://togithub.com/hashicorp/go-getter/compare/v1.7.1...v1.7.2) #### What's Changed - Don't override `GIT_SSH_COMMAND` when not needed by [@nl-brett-stime](https://togithub.com/nl-brett-stime) [https://github.com/hashicorp/go-getter/pull/300](https://togithub.com/hashicorp/go-getter/pull/300) **Full Changelog**: https://github.com/hashicorp/go-getter/compare/v1.7.1...v1.7.2 ### [`v1.7.1`](https://togithub.com/hashicorp/go-getter/compare/v1.7.0...v1.7.1) [Compare Source](https://togithub.com/hashicorp/go-getter/compare/v1.7.0...v1.7.1)Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.