A path traversal vulnerability was discovered in go-git versions prior to v5.11. This vulnerability allows an attacker to create and amend files across the filesystem. In the worse case scenario, remote code execution could be achieved. Applications are only affected if they are using the ChrootOS https://pkg.go.dev/github.com/go-git/go-billy/v5/osfs#ChrootOS , which is the default when using "Plain" versions of Open and Clone funcs (e.g. PlainClone). Applications using BoundOS https://pkg.go.dev/github.com/go-git/go-billy/v5/osfs#BoundOS or in-memory filesystems are not affected by this issue. This is a go-git implementation issue and does not affect the upstream git cli.
The vulnerability affects the ChrootOS filesystem implementation in the go-git library, which is the default directory isolation mechanism when using 'Plain' functions such as PlainClone or PlainOpen. An attacker can construct a specially crafted Git repository containing file paths that traverse outside the designated chroot directory, enabling file writes anywhere on the filesystem. This is a bug in the go-git implementation and does not affect the native git CLI client.
An attacker can create and overwrite arbitrary files on the server or client filesystem, which can consequently lead to remote code execution (RCE). The confidentiality, integrity, and availability of the system are at risk.
The go-git library should be updated to version v5.11 or later. As a temporary workaround, ChrootOS usage can be replaced with a BoundOS implementation or in-memory filesystem, which are not vulnerable to this issue.
Go-Git (go-git project) in all versions prior to v5.11. The vulnerability affects only applications using ChrootOS (default with PlainClone, PlainOpen, etc. functions). Applications using BoundOS or in-memory filesystems are not vulnerable.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HGo Git Project Go Git
APPGo-Git Project4.0.0 – 5.11.0 (bez)
Related vulnerabilities
Argument injection w bibliotece go-git — dowolne flagi git-upload-pack
go-git is an extensible git implementation library written in pure Go. Prior to 5.19.0 and 6.0.0-alpha.3, go-g...
go-git is a highly extensible git implementation library written in pure Go. A denial of service (DoS) vulnera...
A denial of service (DoS) vulnerability was discovered in go-git versions prior to v5.11. This vulnerability a...
go-git is an extensible git implementation library written in pure Go. Prior to 5.19.1 and 6.0.0-alpha.4, a pa...