CRITICAL🇵🇱 Wersja polska

CVE-2024-3817

CVSS 9.8v3.1pub. 2024-04-17upd. 2025-12-11

HashiCorp’s go-getter library is vulnerable to argument injection when executing Git to discover remote branches. This vulnerability does not affect the go-getter/v2 branch and package.

🤖 AI Analysis
How it works

The vulnerability classified as CWE-88 (argument injection) consists of improper handling of input data passed to Git commands executed by the go-getter library. An attacker can inject additional arguments into the Git call, which allows manipulation of its behavior in a way not intended by the developer. This mechanism is triggered during the process of discovering remote branches of a repository. The vulnerability does not affect the go-getter/v2 branch and package.

Impact

Successful exploitation of this vulnerability may allow an attacker to perform unauthorized reading of sensitive data, data modification, or system availability disruption — in accordance with the CVSS vector indicating full impact on confidentiality, integrity, and availability (C:H/I:H/A:H).

Mitigation & patch

Apply patches available from the vendor in accordance with the references (https://discuss.hashicorp.com/t/hcsec-2024-09-hashicorp-go-getter-vulnerable-to-argument-injection-when-fetching-remote-default-git-branches/66040). Alternatively, consider migrating to the go-getter/v2 package, which is not vulnerable to the described vulnerability.

Who is affected

HashiCorp go-getter (v1 branch/package). The vulnerability does not affect go-getter/v2. Detailed information about versions is indicated in the vendor's references.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Hashicorp Go Getter

    APP
    Hashicorp
    1.5.9 – 1.7.4 (bez)
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2022-26945CRITICAL9.8ten sam produkt

go-getter up to 1.5.11 and 2.0.2 allowed protocol switching, endless redirect, and configuration bypass via ab...

CVE-2025-8959HIGH7.5ten sam produkt

HashiCorp's go-getter library subdirectory download feature is vulnerable to symlink attacks leading to unauth...

CVE-2024-6257HIGH8.4ten sam produkt

HashiCorp’s go-getter library can be coerced into executing Git update on an existing maliciously modified Git...

CVE-2022-30321HIGH8.6ten sam produkt

go-getter up to 1.5.11 and 2.0.2 allowed arbitrary host access via go-getter path traversal, symlink processin...

CVE-2022-30322HIGH8.6ten sam produkt

go-getter up to 1.5.11 and 2.0.2 allowed asymmetric resource exhaustion when go-getter processed malicious HTT...