Описание
go-git is a highly extensible git implementation library written in pure Go. An argument injection vulnerability was discovered in go-git versions prior to v5.13. Successful exploitation of this vulnerability could allow an attacker to set arbitrary values to git-upload-pack flags. This only happens when the file transport protocol is being used, as that is the only protocol that shells out to git binaries. This vulnerability is fixed in 5.13.0.
An argument injection vulnerability was found in go-git. This flaw allows an attacker to set arbitrary values to git-upload-pack flags, leading to command or code execution, exposure of sensitive data, or other unintended behavior. This is only possible in configurations where the file transport protocol is being used.
Отчет
This vulnerability is rated as an Important severity because an argument injection has been discovered in go-git, where an attackers can manipulate git-upload-pack flags, potentially enabling command or code execution leads to an exposure of sensitive data or other unintended actions, this vulnerability occurs exclusively in configurations using the file transport protocol.
Меры по смягчению последствий
In cases where it is not possible to update to the latest version of go-git, it is recommended to enforce validation rules for values passed in the URL field.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Builds for Red Hat OpenShift | openshift-builds/openshift-builds-image-bundler-rhel9 | Affected | ||
| OpenShift API for Data Protection | oadp/oadp-mustgather-rhel8 | Affected | ||
| OpenShift Developer Tools and Services | odo | Will not fix | ||
| OpenShift Serverless | openshift-serverless-1/client-kn-rhel8 | Affected | ||
| OpenShift Serverless | openshift-serverless-1-func-utils-rhel8-container | Affected | ||
| OpenShift Serverless | openshift-serverless-1/kn-cli-artifacts-rhel8 | Affected | ||
| Red Hat Advanced Cluster Management for Kubernetes 2 | rhacm2/multicluster-operators-subscription-rhel8 | Affected | ||
| Red Hat Advanced Cluster Management for Kubernetes 2 | rhacm2/submariner-rhel8-operator | Affected | ||
| Red Hat Ceph Storage 7 | rhceph/grafana-rhel9 | Affected | ||
| Red Hat Enterprise Linux 9 | grafana | Affected |
Показывать по
Дополнительная информация
Статус:
EPSS
8.1 High
CVSS3
Связанные уязвимости
go-git is a highly extensible git implementation library written in pure Go. An argument injection vulnerability was discovered in go-git versions prior to v5.13. Successful exploitation of this vulnerability could allow an attacker to set arbitrary values to git-upload-pack flags. This only happens when the file transport protocol is being used, as that is the only protocol that shells out to git binaries. This vulnerability is fixed in 5.13.0.
go-git is a highly extensible git implementation library written in pure Go. An argument injection vulnerability was discovered in go-git versions prior to v5.13. Successful exploitation of this vulnerability could allow an attacker to set arbitrary values to git-upload-pack flags. This only happens when the file transport protocol is being used, as that is the only protocol that shells out to git binaries. This vulnerability is fixed in 5.13.0.
go-git is a highly extensible git implementation library written in pu ...
EPSS
8.1 High
CVSS3