CVE-2024-3817

Name of the Vulnerable Software and Affected Versions: go-getter versions prior to 1.7.4 go-getter/v2 branch and package are not affected

Description: The go-getter library is vulnerable to argument injection when executing Git to discover remote branches. An attacker may format a Git URL in order to inject additional Git arguments to the Git call. This can be done when go-getter is performing a Git operation and tries to clone the given repository, checking the remote repository's HEAD reference of its default branch by passing arguments to the Git binary on the host it is executing on.

Recommendations: For go-getter versions prior to 1.7.4, upgrade to version 1.7.4 or later to resolve the issue. As a temporary workaround, consider restricting the use of Git URLs that could be used to inject additional Git arguments until a patch is available. Consumers of the go-getter library should evaluate the risk associated with these issues in the context of their go-getter usage.