HashiCorp’s go-getter library is vulnerable to argument injection when executing Git to discover remote branches. This vulnerability does not affect the go-getter/v2 branch and package.
The vulnerability classified as CWE-88 (argument injection) consists of improper handling of input data passed to Git commands executed by the go-getter library. An attacker can inject additional arguments into the Git call, which allows manipulation of its behavior in a way not intended by the developer. This mechanism is triggered during the process of discovering remote branches of a repository. The vulnerability does not affect the go-getter/v2 branch and package.
Successful exploitation of this vulnerability may allow an attacker to perform unauthorized reading of sensitive data, data modification, or system availability disruption — in accordance with the CVSS vector indicating full impact on confidentiality, integrity, and availability (C:H/I:H/A:H).
Apply patches available from the vendor in accordance with the references (https://discuss.hashicorp.com/t/hcsec-2024-09-hashicorp-go-getter-vulnerable-to-argument-injection-when-fetching-remote-default-git-branches/66040). Alternatively, consider migrating to the go-getter/v2 package, which is not vulnerable to the described vulnerability.
HashiCorp go-getter (v1 branch/package). The vulnerability does not affect go-getter/v2. Detailed information about versions is indicated in the vendor's references.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HHashicorp Go Getter
APPHashicorp1.5.9 – 1.7.4 (bez)
Related vulnerabilities
go-getter up to 1.5.11 and 2.0.2 allowed protocol switching, endless redirect, and configuration bypass via ab...
HashiCorp's go-getter library subdirectory download feature is vulnerable to symlink attacks leading to unauth...
HashiCorp’s go-getter library can be coerced into executing Git update on an existing maliciously modified Git...
go-getter up to 1.5.11 and 2.0.2 allowed arbitrary host access via go-getter path traversal, symlink processin...
go-getter up to 1.5.11 and 2.0.2 allowed asymmetric resource exhaustion when go-getter processed malicious HTT...