CVE-2024-6257

CVSS v3.1

8.8

High

Vector

AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions HashiCorp’s go-getter library (affected versions not specified)

Description The issue is related to the go-getter library's handling of Git updates on existing maliciously modified Git configurations, potentially leading to arbitrary code execution. When performing a Git operation, the library clones a given repository to a specified destination, initializing a Git config. An attacker may alter this config after cloning to set an arbitrary Git configuration and achieve code execution. The exploitation of this issue may allow a remote attacker to execute arbitrary code.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-77

Related Identifiers

AZL-42982

BDU:2024-06668

CVE-2024-6257

GHSA-XFHP-JF8P-MH5W

GO-2024-2948

OPENSUSE-SU-2024:0268-1

OPENSUSE-SU-2024:0269-1

OPENSUSE-SU-2024:14183-1

OPENSUSE-SU-2024:14190-1

Affected Products

Debian

Red Os

Go-Getter

CVE-2024-6257

Weakness Enumeration

Related Identifiers

Affected Products

References · 30