Описание
A denial of service (DoS) vulnerability was discovered in go-git versions prior to v5.11. This vulnerability allows an attacker to perform denial of service attacks by providing specially crafted responses from a Git server which triggers resource exhaustion in go-git clients.
Applications using only the in-memory filesystem supported by go-git are not affected by this vulnerability.
This is a go-git implementation issue and does not affect the upstream git cli.
A denial of service (DoS) vulnerability was found in the go library go-git. This issue may allow an attacker to perform denial of service attacks by providing specially crafted responses from a Git server, which can trigger resource exhaustion in go-git clients.
Отчет
This problem only affects the go implementation and not the original git cli code. Applications using only in-memory filesystems are not affected by this issue. Clients should be limited to connect to only trusted git servers to reduce the risk of compromise.
Меры по смягчению последствий
In cases where a bump to the latest version of go-git is not possible, a recommendation to reduce the exposure of this threat is limiting its use to only trust-worthy Git servers.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| OpenShift Developer Tools and Services | odo | Will not fix | ||
| Red Hat Advanced Cluster Management for Kubernetes 2 | hub-of-hubs-gitops | Not affected | ||
| Red Hat Advanced Cluster Management for Kubernetes 2 | multicluster-engine | Affected | ||
| Red Hat Advanced Cluster Management for Kubernetes 2 | multicluster-engine-assisted-installer-reporter | Will not fix | ||
| Red Hat Advanced Cluster Management for Kubernetes 2 | multicluster-engine-assisted-service | Will not fix | ||
| Red Hat Advanced Cluster Management for Kubernetes 2 | multicluster-globalhub-grafana | Affected | ||
| Red Hat Advanced Cluster Management for Kubernetes 2 | rhacm2/cluster-curator-controller-rhel8 | Not affected | ||
| Red Hat Advanced Cluster Management for Kubernetes 2 | rhacm2/clusterlifecycle-state-metrics-rhel8 | Not affected | ||
| Red Hat Advanced Cluster Management for Kubernetes 2 | rhacm2/multicluster-operators-subscription-release-rhel8 | Not affected | ||
| Red Hat Advanced Cluster Management for Kubernetes 2 | rhacm2/openshift-hive-rhel8 | Not affected |
Показывать по
Дополнительная информация
Статус:
EPSS
7.5 High
CVSS3
Связанные уязвимости
A denial of service (DoS) vulnerability was discovered in go-git versions prior to v5.11. This vulnerability allows an attacker to perform denial of service attacks by providing specially crafted responses from a Git server which triggers resource exhaustion in go-git clients. Applications using only the in-memory filesystem supported by go-git are not affected by this vulnerability. This is a go-git implementation issue and does not affect the upstream git cli.
A denial of service (DoS) vulnerability was discovered in go-git versions prior to v5.11. This vulnerability allows an attacker to perform denial of service attacks by providing specially crafted responses from a Git server which triggers resource exhaustion in go-git clients. Applications using only the in-memory filesystem supported by go-git are not affected by this vulnerability. This is a go-git implementation issue and does not affect the upstream git cli.
Maliciously crafted Git server replies can cause DoS on go-git clients
A denial of service (DoS) vulnerability was discovered in go-git versi ...
Maliciously crafted Git server replies can cause DoS on go-git clients
EPSS
7.5 High
CVSS3