HashiCorp’s go-getter library can be coerced into executing Git update on an existing maliciously modified Git Configuration, potentially leading to arbitrary code execution. When go-getter is performing a Git operation, go-getter will try to clone the given repository in a specified destination. Cloning initializes a git config to the provided destination and if the repository needs to get updated go-getter will pull the new changes .
An attacker may alter the Git config after the cloning step to set an arbitrary Git configuration to achieve code execution.
Release Notes
hashicorp/go-getter (github.com/hashicorp/go-getter)
### [`v1.7.5`](https://togithub.com/hashicorp/go-getter/releases/tag/v1.7.5)
[Compare Source](https://togithub.com/hashicorp/go-getter/compare/v1.7.4...v1.7.5)
#### What's Changed
- Prevent Git Config Alteration on Git Update by [@dduzgun-security](https://togithub.com/dduzgun-security) in [https://github.com/hashicorp/go-getter/pull/497](https://togithub.com/hashicorp/go-getter/pull/497)
#### New Contributors
- [@dduzgun-security](https://togithub.com/dduzgun-security) made their first contribution in [https://github.com/hashicorp/go-getter/pull/497](https://togithub.com/hashicorp/go-getter/pull/497)
**Full Changelog**: https://github.com/hashicorp/go-getter/compare/v1.7.4...v1.7.5
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
[ ] If you want to rebase/retry this PR, check this box
This PR has been generated by Mend Renovate. View repository job log here.
This PR contains the following updates:
v1.7.4
->v1.7.5
GitHub Vulnerability Alerts
CVE-2024-6257
HashiCorp’s go-getter library can be coerced into executing Git update on an existing maliciously modified Git Configuration, potentially leading to arbitrary code execution. When go-getter is performing a Git operation, go-getter will try to clone the given repository in a specified destination. Cloning initializes a git config to the provided destination and if the repository needs to get updated go-getter will pull the new changes .
An attacker may alter the Git config after the cloning step to set an arbitrary Git configuration to achieve code execution.
Release Notes
hashicorp/go-getter (github.com/hashicorp/go-getter)
### [`v1.7.5`](https://togithub.com/hashicorp/go-getter/releases/tag/v1.7.5) [Compare Source](https://togithub.com/hashicorp/go-getter/compare/v1.7.4...v1.7.5) #### What's Changed - Prevent Git Config Alteration on Git Update by [@dduzgun-security](https://togithub.com/dduzgun-security) in [https://github.com/hashicorp/go-getter/pull/497](https://togithub.com/hashicorp/go-getter/pull/497) #### New Contributors - [@dduzgun-security](https://togithub.com/dduzgun-security) made their first contribution in [https://github.com/hashicorp/go-getter/pull/497](https://togithub.com/hashicorp/go-getter/pull/497) **Full Changelog**: https://github.com/hashicorp/go-getter/compare/v1.7.4...v1.7.5Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.