Bug 2258143 (CVE-2023-49569) - CVE-2023-49569 go-git: Maliciously crafted Git server replies can lead to path traversal and RCE on go-git clients
Summary: CVE-2023-49569 go-git: Maliciously crafted Git server replies can lead to pat...
Keywords:
Status: NEW
Alias: CVE-2023-49569
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
urgent
urgent
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2259726 2259810 2259812 2259814 2259816 2259818 2259820 2259822 2259824 2259826 2259828 2259829 2259830 2259831 2259833 2259834 2259835 2270744 2271879 2259709 2259710 2259711 2259712 2259713 2259714 2259715 2259716 2259717 2259718 2259719 2259720 2259721 2259722 2259723 2259724 2259725 2259827 2259832 2271878
Blocks: 2258168
TreeView+ depends on / blocked
 
Reported: 2024-01-12 22:05 UTC by Pedro Sampaio
Modified: 2024-05-14 13:18 UTC (History)
53 users (show)

Fixed In Version: go-git 5.11
Doc Type: If docs needed, set a value
Doc Text:
A path traversal vulnerability was discovered in the go library go-git. This issue may allow an attacker to create and amend files across the filesystem when applications are using the default ChrootOS, potentially allowing remote code execution.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2024:0931 0 None None None 2024-02-21 01:00:57 UTC
Red Hat Product Errata RHBA-2024:0932 0 None None None 2024-02-21 01:01:16 UTC
Red Hat Product Errata RHBA-2024:0933 0 None None None 2024-02-21 01:01:28 UTC
Red Hat Product Errata RHBA-2024:1009 0 None None None 2024-02-27 19:49:33 UTC
Red Hat Product Errata RHBA-2024:1010 0 None None None 2024-02-27 20:48:11 UTC
Red Hat Product Errata RHBA-2024:1011 0 None None None 2024-02-27 21:40:29 UTC
Red Hat Product Errata RHBA-2024:2814 0 None None None 2024-05-09 19:39:38 UTC
Red Hat Product Errata RHSA-2023:7197 0 None None None 2024-02-27 19:47:59 UTC
Red Hat Product Errata RHSA-2023:7198 0 None None None 2024-02-27 20:50:16 UTC
Red Hat Product Errata RHSA-2024:0298 0 None None None 2024-01-18 16:37:35 UTC
Red Hat Product Errata RHSA-2024:0641 0 None None None 2024-02-07 16:41:40 UTC
Red Hat Product Errata RHSA-2024:0642 0 None None None 2024-02-07 17:36:49 UTC
Red Hat Product Errata RHSA-2024:0692 0 None None None 2024-03-22 16:04:17 UTC
Red Hat Product Errata RHSA-2024:0729 0 None None None 2024-02-07 20:08:46 UTC
Red Hat Product Errata RHSA-2024:0735 0 None None None 2024-02-13 17:23:45 UTC
Red Hat Product Errata RHSA-2024:0740 0 None None None 2024-02-14 05:51:57 UTC
Red Hat Product Errata RHSA-2024:0741 0 None None None 2024-02-14 06:34:12 UTC
Red Hat Product Errata RHSA-2024:0820 0 None None None 2024-02-14 18:45:18 UTC
Red Hat Product Errata RHSA-2024:0832 0 None None None 2024-02-21 00:30:49 UTC
Red Hat Product Errata RHSA-2024:0833 0 None None None 2024-02-21 01:44:25 UTC
Red Hat Product Errata RHSA-2024:0843 0 None None None 2024-02-15 12:55:47 UTC
Red Hat Product Errata RHSA-2024:0845 0 None None None 2024-02-21 01:40:43 UTC
Red Hat Product Errata RHSA-2024:0880 0 None None None 2024-02-20 11:03:40 UTC
Red Hat Product Errata RHSA-2024:0989 0 None None None 2024-02-26 16:08:01 UTC
Red Hat Product Errata RHSA-2024:1052 0 None None None 2024-03-06 00:38:28 UTC
Red Hat Product Errata RHSA-2024:1549 0 None None None 2024-03-27 18:47:35 UTC
Red Hat Product Errata RHSA-2024:1557 0 None None None 2024-03-28 05:31:20 UTC
Red Hat Product Errata RHSA-2024:1891 0 None None None 2024-04-26 12:38:39 UTC
Red Hat Product Errata RHSA-2024:1896 0 None None None 2024-04-25 15:14:49 UTC
Red Hat Product Errata RHSA-2024:2047 0 None None None 2024-05-02 16:37:28 UTC
Red Hat Product Errata RHSA-2024:2631 0 None None None 2024-05-01 01:10:47 UTC

Description Pedro Sampaio 2024-01-12 22:05:28 UTC 
A path traversal vulnerability was discovered in go-git versions prior to v5.11. This vulnerability allows an attacker to create and amend files across the filesystem. In the worse case scenario, remote code execution could be achieved.

Applications are only affected if they are using the  ChrootOS https://pkg.go.dev/github.com/go-git/go-billy/v5/osfs#ChrootOS , which is the default when using "Plain" versions of Open and Clone funcs (e.g. PlainClone). Applications using  BoundOS https://pkg.go.dev/github.com/go-git/go-billy/v5/osfs#BoundOS  or in-memory filesystems are not affected by this issue.
This is a go-git implementation issue and does not affect the upstream git cli.

References:

https://github.com/go-git/go-git/security/advisories/GHSA-449p-3h89-pw88
Comment 3 errata-xmlrpc 2024-01-18 16:37:33 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.9 for RHEL 8

Via RHSA-2024:0298 https://access.redhat.com/errata/RHSA-2024:0298
Comment 8 Gandhimathy 2024-01-22 09:30:31 UTC 
The same vulnerability need to be fixed in OSE package also.
registry.redhat.io/openshift4/ose-operator-registry container image,

The image is picked from "registry.redhat.io/openshift4/ose-operator-registry:v4.14.0"

It is blocking the security release.
Comment 77 errata-xmlrpc 2024-02-07 16:41:37 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2024:0641 https://access.redhat.com/errata/RHSA-2024:0641
Comment 78 errata-xmlrpc 2024-02-07 17:36:46 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2024:0642 https://access.redhat.com/errata/RHSA-2024:0642
Comment 79 errata-xmlrpc 2024-02-07 20:08:42 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.7 for RHEL 8

Via RHSA-2024:0729 https://access.redhat.com/errata/RHSA-2024:0729
Comment 81 errata-xmlrpc 2024-02-13 17:23:41 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2024:0735 https://access.redhat.com/errata/RHSA-2024:0735
Comment 82 errata-xmlrpc 2024-02-14 05:51:53 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.13

Via RHSA-2024:0740 https://access.redhat.com/errata/RHSA-2024:0740
Comment 83 errata-xmlrpc 2024-02-14 06:34:09 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.13

Via RHSA-2024:0741 https://access.redhat.com/errata/RHSA-2024:0741
Comment 84 errata-xmlrpc 2024-02-14 18:45:15 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.8 for RHEL 8

Via RHSA-2024:0820 https://access.redhat.com/errata/RHSA-2024:0820
Comment 85 errata-xmlrpc 2024-02-15 12:55:44 UTC 
This issue has been addressed in the following products:

  RHOSS-1.31-RHEL-8

Via RHSA-2024:0843 https://access.redhat.com/errata/RHSA-2024:0843
Comment 87 errata-xmlrpc 2024-02-20 11:03:37 UTC 
This issue has been addressed in the following products:

  Openshift Serverless 1 on RHEL 8

Via RHSA-2024:0880 https://access.redhat.com/errata/RHSA-2024:0880
Comment 88 errata-xmlrpc 2024-02-21 00:30:46 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.12

Via RHSA-2024:0832 https://access.redhat.com/errata/RHSA-2024:0832
Comment 89 errata-xmlrpc 2024-02-21 01:40:40 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.13

Via RHSA-2024:0845 https://access.redhat.com/errata/RHSA-2024:0845
Comment 90 errata-xmlrpc 2024-02-21 01:44:22 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.12

Via RHSA-2024:0833 https://access.redhat.com/errata/RHSA-2024:0833
Comment 92 errata-xmlrpc 2024-02-26 16:07:58 UTC 
This issue has been addressed in the following products:

  multicluster-globalhub 1.0 for RHEL 8

Via RHSA-2024:0989 https://access.redhat.com/errata/RHSA-2024:0989
Comment 93 errata-xmlrpc 2024-02-27 19:47:56 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.15

Via RHSA-2023:7197 https://access.redhat.com/errata/RHSA-2023:7197
Comment 94 errata-xmlrpc 2024-02-27 20:50:12 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.15

Via RHSA-2023:7198 https://access.redhat.com/errata/RHSA-2023:7198
Comment 96 errata-xmlrpc 2024-03-06 00:38:25 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.12

Via RHSA-2024:1052 https://access.redhat.com/errata/RHSA-2024:1052
Comment 98 Jeremy West 2024-03-19 14:34:49 UTC 
Created grafana tracking bugs for this issue:

Affects: fedora-39 [bug 2259834]
Comment 99 Jeremy West 2024-03-19 14:34:54 UTC 
Created pack tracking bugs for this issue:

Affects: fedora-39 [bug 2259835]
Comment 100 Jeremy West 2024-03-19 14:35:00 UTC 
Created golang-github-git-5 tracking bugs for this issue:

Affects: fedora-39 [bug 2259832]
Comment 101 Jeremy West 2024-03-19 14:56:24 UTC 
Created golang-github-hashicorp-hc-install tracking bugs for this issue:

Affects: fedora-39 [bug 2259833]
Comment 102 Jeremy West 2024-03-19 14:56:37 UTC 
Created golang-github-hashicorp-hc-install tracking bugs for this issue:

Affects: fedora-38 [bug 2259828]
Comment 103 Jeremy West 2024-03-19 14:56:38 UTC 
Created pack tracking bugs for this issue:

Affects: fedora-38 [bug 2259830]
Comment 104 Jeremy West 2024-03-19 14:56:38 UTC 
Created grafana tracking bugs for this issue:

Affects: fedora-38 [bug 2259829]
Comment 105 Jeremy West 2024-03-19 14:56:39 UTC 
Created cri-o tracking bugs for this issue:

Affects: fedora-39 [bug 2259831]
Comment 106 Jeremy West 2024-03-19 15:03:36 UTC 
Created golang-github-hashicorp-hc-install tracking bugs for this issue:

Affects: fedora-39 [bug 2259833]
Comment 107 Jeremy West 2024-03-19 15:05:19 UTC 
Created pack tracking bugs for this issue:

Affects: fedora-38 [bug 2259830]
Comment 108 Jeremy West 2024-03-19 15:05:21 UTC 
Created cri-o:1.27/cri-o tracking bugs for this issue:

Affects: fedora-38 [bug 2259826]
Comment 109 Jeremy West 2024-03-19 15:16:25 UTC 
Created cri-o:1.25/cri-o tracking bugs for this issue:

Affects: fedora-38 [bug 2259822]
Comment 110 Jeremy West 2024-03-19 15:16:27 UTC 
Created cri-o:1.26/cri-o tracking bugs for this issue:

Affects: fedora-38 [bug 2259824]
Comment 111 Jeremy West 2024-03-19 15:16:28 UTC 
Created golang-github-git-5 tracking bugs for this issue:

Affects: fedora-38 [bug 2259827]
Comment 112 Jeremy West 2024-03-19 17:55:15 UTC 
Created cri-o:1.25/cri-o tracking bugs for this issue:

Affects: fedora-38 [bug 2259822]
Comment 113 Jeremy West 2024-03-19 17:55:33 UTC 
Created cri-o:1.23/cri-o tracking bugs for this issue:

Affects: fedora-38 [bug 2259818]
Comment 114 Jeremy West 2024-03-19 17:55:35 UTC 
Created cri-o:1.24/cri-o tracking bugs for this issue:

Affects: fedora-38 [bug 2259820]
Comment 115 Jeremy West 2024-03-19 18:03:20 UTC 
Created cri-o:1.25/cri-o tracking bugs for this issue:

Affects: fedora-38 [bug 2259822]
Comment 116 Jeremy West 2024-03-19 18:03:29 UTC 
Created cri-o:1.22/cri-o tracking bugs for this issue:

Affects: fedora-38 [bug 2259816]
Comment 117 Jeremy West 2024-03-19 18:22:51 UTC 
Created cri-o tracking bugs for this issue:

Affects: fedora-38 [bug 2259814]
Comment 118 Jeremy West 2024-03-19 18:23:00 UTC 
Created pack tracking bugs for this issue:

Affects: epel-8 [bug 2259812]
Comment 119 Jeremy West 2024-03-19 19:34:32 UTC 
Created cri-o:1.21/cri-o tracking bugs for this issue:

Affects: epel-8 [bug 2259810]
Comment 120 errata-xmlrpc 2024-03-22 16:04:15 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift GitOps 1.10

Via RHSA-2024:0692 https://access.redhat.com/errata/RHSA-2024:0692
Comment 121 errata-xmlrpc 2024-03-27 18:47:32 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Security 4.3

Via RHSA-2024:1549 https://access.redhat.com/errata/RHSA-2024:1549
Comment 122 errata-xmlrpc 2024-03-28 05:31:18 UTC 
This issue has been addressed in the following products:

  OPENSHIFT-BUILDS-1.0-RHEL-8

Via RHSA-2024:1557 https://access.redhat.com/errata/RHSA-2024:1557
Comment 123 errata-xmlrpc 2024-04-25 15:14:47 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.12

Via RHSA-2024:1896 https://access.redhat.com/errata/RHSA-2024:1896
Comment 124 errata-xmlrpc 2024-04-26 12:38:37 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2024:1891 https://access.redhat.com/errata/RHSA-2024:1891
Comment 125 errata-xmlrpc 2024-05-01 01:10:45 UTC 
This issue has been addressed in the following products:

  Red Hat Ceph Storage 6.1

Via RHSA-2024:2631 https://access.redhat.com/errata/RHSA-2024:2631
Comment 126 errata-xmlrpc 2024-05-02 16:37:25 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.13

Via RHSA-2024:2047 https://access.redhat.com/errata/RHSA-2024:2047
Note You need to log in before you can comment on or make changes to this bug.