Bug 2258143 (CVE-2023-49569) - CVE-2023-49569 go-git: Maliciously crafted Git server replies can lead to path traversal and RCE on go-git clients
Summary: CVE-2023-49569 go-git: Maliciously crafted Git server replies can lead to pat...
Keywords:
Status: NEW
Alias: CVE-2023-49569
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
urgent
urgent
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2259810 2259812 2259831 2259833 2259834 2259835 2271879 2259709 2259710 2259711 2259712 2259713 2259714 2259715 2259716 2259717 2259718 2259719 2259720 2259721 2259722 2259723 2259724 2259725 2259726 2259814 2259816 2259818 2259820 2259822 2259824 2259826 2259827 2259828 2259829 2259830 2259832 2270744 2271878
Blocks: 2258168
TreeView+ depends on / blocked
 
Reported: 2024-01-12 22:05 UTC by Pedro Sampaio
Modified: 2024-10-31 03:37 UTC (History)
53 users (show)

Fixed In Version: go-git 5.11
Doc Type: If docs needed, set a value
Doc Text:
A path traversal vulnerability was discovered in the go library go-git. This issue may allow an attacker to create and amend files across the filesystem when applications are using the default ChrootOS, potentially allowing remote code execution.
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2024:0931 0 None None None 2024-02-21 01:00:57 UTC
Red Hat Product Errata RHBA-2024:0932 0 None None None 2024-02-21 01:01:16 UTC
Red Hat Product Errata RHBA-2024:0933 0 None None None 2024-02-21 01:01:28 UTC
Red Hat Product Errata RHBA-2024:1009 0 None None None 2024-02-27 19:49:33 UTC
Red Hat Product Errata RHBA-2024:1010 0 None None None 2024-02-27 20:48:11 UTC
Red Hat Product Errata RHBA-2024:1011 0 None None None 2024-02-27 21:40:29 UTC
Red Hat Product Errata RHBA-2024:2814 0 None None None 2024-05-09 19:39:38 UTC
Red Hat Product Errata RHSA-2023:7197 0 None None None 2024-02-27 19:47:59 UTC
Red Hat Product Errata RHSA-2023:7198 0 None None None 2024-02-27 20:50:16 UTC
Red Hat Product Errata RHSA-2024:0298 0 None None None 2024-01-18 16:37:35 UTC
Red Hat Product Errata RHSA-2024:0641 0 None None None 2024-02-07 16:41:40 UTC
Red Hat Product Errata RHSA-2024:0642 0 None None None 2024-02-07 17:36:49 UTC
Red Hat Product Errata RHSA-2024:0692 0 None None None 2024-03-22 16:04:17 UTC
Red Hat Product Errata RHSA-2024:0729 0 None None None 2024-02-07 20:08:46 UTC
Red Hat Product Errata RHSA-2024:0735 0 None None None 2024-02-13 17:23:45 UTC
Red Hat Product Errata RHSA-2024:0740 0 None None None 2024-02-14 05:51:57 UTC
Red Hat Product Errata RHSA-2024:0741 0 None None None 2024-02-14 06:34:12 UTC
Red Hat Product Errata RHSA-2024:0820 0 None None None 2024-02-14 18:45:18 UTC
Red Hat Product Errata RHSA-2024:0832 0 None None None 2024-02-21 00:30:49 UTC
Red Hat Product Errata RHSA-2024:0833 0 None None None 2024-02-21 01:44:25 UTC
Red Hat Product Errata RHSA-2024:0843 0 None None None 2024-02-15 12:55:47 UTC
Red Hat Product Errata RHSA-2024:0845 0 None None None 2024-02-21 01:40:43 UTC
Red Hat Product Errata RHSA-2024:0880 0 None None None 2024-02-20 11:03:40 UTC
Red Hat Product Errata RHSA-2024:0989 0 None None None 2024-02-26 16:08:01 UTC
Red Hat Product Errata RHSA-2024:1052 0 None None None 2024-03-06 00:38:28 UTC
Red Hat Product Errata RHSA-2024:1549 0 None None None 2024-03-27 18:47:35 UTC
Red Hat Product Errata RHSA-2024:1557 0 None None None 2024-03-28 05:31:20 UTC
Red Hat Product Errata RHSA-2024:1891 0 None None None 2024-04-26 12:38:39 UTC
Red Hat Product Errata RHSA-2024:1896 0 None None None 2024-04-25 15:14:49 UTC
Red Hat Product Errata RHSA-2024:2047 0 None None None 2024-05-02 16:37:28 UTC
Red Hat Product Errata RHSA-2024:2631 0 None None None 2024-05-01 01:10:47 UTC
Red Hat Product Errata RHSA-2024:3925 0 None None None 2024-06-13 14:24:30 UTC
Red Hat Product Errata RHSA-2024:4118 0 None None None 2024-06-26 10:01:47 UTC
Red Hat Product Errata RHSA-2024:6221 0 None None None 2024-09-03 11:45:09 UTC
Red Hat Product Errata RHSA-2024:8425 0 None None None 2024-10-31 03:37:30 UTC

Description Pedro Sampaio 2024-01-12 22:05:28 UTC
A path traversal vulnerability was discovered in go-git versions prior to v5.11. This vulnerability allows an attacker to create and amend files across the filesystem. In the worse case scenario, remote code execution could be achieved.

Applications are only affected if they are using the  ChrootOS https://pkg.go.dev/github.com/go-git/go-billy/v5/osfs#ChrootOS , which is the default when using "Plain" versions of Open and Clone funcs (e.g. PlainClone). Applications using  BoundOS https://pkg.go.dev/github.com/go-git/go-billy/v5/osfs#BoundOS  or in-memory filesystems are not affected by this issue.
This is a go-git implementation issue and does not affect the upstream git cli.

References:

https://github.com/go-git/go-git/security/advisories/GHSA-449p-3h89-pw88

Comment 3 errata-xmlrpc 2024-01-18 16:37:33 UTC
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.9 for RHEL 8

Via RHSA-2024:0298 https://access.redhat.com/errata/RHSA-2024:0298

Comment 8 Gandhimathy 2024-01-22 09:30:31 UTC
The same vulnerability need to be fixed in OSE package also.
registry.redhat.io/openshift4/ose-operator-registry container image,

The image is picked from "registry.redhat.io/openshift4/ose-operator-registry:v4.14.0"

It is blocking the security release.

Comment 77 errata-xmlrpc 2024-02-07 16:41:37 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2024:0641 https://access.redhat.com/errata/RHSA-2024:0641

Comment 78 errata-xmlrpc 2024-02-07 17:36:46 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2024:0642 https://access.redhat.com/errata/RHSA-2024:0642

Comment 79 errata-xmlrpc 2024-02-07 20:08:42 UTC
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.7 for RHEL 8

Via RHSA-2024:0729 https://access.redhat.com/errata/RHSA-2024:0729

Comment 81 errata-xmlrpc 2024-02-13 17:23:41 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2024:0735 https://access.redhat.com/errata/RHSA-2024:0735

Comment 82 errata-xmlrpc 2024-02-14 05:51:53 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.13

Via RHSA-2024:0740 https://access.redhat.com/errata/RHSA-2024:0740

Comment 83 errata-xmlrpc 2024-02-14 06:34:09 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.13

Via RHSA-2024:0741 https://access.redhat.com/errata/RHSA-2024:0741

Comment 84 errata-xmlrpc 2024-02-14 18:45:15 UTC
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.8 for RHEL 8

Via RHSA-2024:0820 https://access.redhat.com/errata/RHSA-2024:0820

Comment 85 errata-xmlrpc 2024-02-15 12:55:44 UTC
This issue has been addressed in the following products:

  RHOSS-1.31-RHEL-8

Via RHSA-2024:0843 https://access.redhat.com/errata/RHSA-2024:0843

Comment 87 errata-xmlrpc 2024-02-20 11:03:37 UTC
This issue has been addressed in the following products:

  Openshift Serverless 1 on RHEL 8

Via RHSA-2024:0880 https://access.redhat.com/errata/RHSA-2024:0880

Comment 88 errata-xmlrpc 2024-02-21 00:30:46 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.12

Via RHSA-2024:0832 https://access.redhat.com/errata/RHSA-2024:0832

Comment 89 errata-xmlrpc 2024-02-21 01:40:40 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.13

Via RHSA-2024:0845 https://access.redhat.com/errata/RHSA-2024:0845

Comment 90 errata-xmlrpc 2024-02-21 01:44:22 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.12

Via RHSA-2024:0833 https://access.redhat.com/errata/RHSA-2024:0833

Comment 92 errata-xmlrpc 2024-02-26 16:07:58 UTC
This issue has been addressed in the following products:

  multicluster-globalhub 1.0 for RHEL 8

Via RHSA-2024:0989 https://access.redhat.com/errata/RHSA-2024:0989

Comment 93 errata-xmlrpc 2024-02-27 19:47:56 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.15

Via RHSA-2023:7197 https://access.redhat.com/errata/RHSA-2023:7197

Comment 94 errata-xmlrpc 2024-02-27 20:50:12 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.15

Via RHSA-2023:7198 https://access.redhat.com/errata/RHSA-2023:7198

Comment 96 errata-xmlrpc 2024-03-06 00:38:25 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.12

Via RHSA-2024:1052 https://access.redhat.com/errata/RHSA-2024:1052

Comment 98 Jeremy West 2024-03-19 14:34:49 UTC
Created grafana tracking bugs for this issue:

Affects: fedora-39 [bug 2259834]

Comment 99 Jeremy West 2024-03-19 14:34:54 UTC
Created pack tracking bugs for this issue:

Affects: fedora-39 [bug 2259835]

Comment 100 Jeremy West 2024-03-19 14:35:00 UTC
Created golang-github-git-5 tracking bugs for this issue:

Affects: fedora-39 [bug 2259832]

Comment 101 Jeremy West 2024-03-19 14:56:24 UTC
Created golang-github-hashicorp-hc-install tracking bugs for this issue:

Affects: fedora-39 [bug 2259833]

Comment 102 Jeremy West 2024-03-19 14:56:37 UTC
Created golang-github-hashicorp-hc-install tracking bugs for this issue:

Affects: fedora-38 [bug 2259828]

Comment 103 Jeremy West 2024-03-19 14:56:38 UTC
Created pack tracking bugs for this issue:

Affects: fedora-38 [bug 2259830]

Comment 104 Jeremy West 2024-03-19 14:56:38 UTC
Created grafana tracking bugs for this issue:

Affects: fedora-38 [bug 2259829]

Comment 105 Jeremy West 2024-03-19 14:56:39 UTC
Created cri-o tracking bugs for this issue:

Affects: fedora-39 [bug 2259831]

Comment 106 Jeremy West 2024-03-19 15:03:36 UTC
Created golang-github-hashicorp-hc-install tracking bugs for this issue:

Affects: fedora-39 [bug 2259833]

Comment 107 Jeremy West 2024-03-19 15:05:19 UTC
Created pack tracking bugs for this issue:

Affects: fedora-38 [bug 2259830]

Comment 108 Jeremy West 2024-03-19 15:05:21 UTC
Created cri-o:1.27/cri-o tracking bugs for this issue:

Affects: fedora-38 [bug 2259826]

Comment 109 Jeremy West 2024-03-19 15:16:25 UTC
Created cri-o:1.25/cri-o tracking bugs for this issue:

Affects: fedora-38 [bug 2259822]

Comment 110 Jeremy West 2024-03-19 15:16:27 UTC
Created cri-o:1.26/cri-o tracking bugs for this issue:

Affects: fedora-38 [bug 2259824]

Comment 111 Jeremy West 2024-03-19 15:16:28 UTC
Created golang-github-git-5 tracking bugs for this issue:

Affects: fedora-38 [bug 2259827]

Comment 112 Jeremy West 2024-03-19 17:55:15 UTC
Created cri-o:1.25/cri-o tracking bugs for this issue:

Affects: fedora-38 [bug 2259822]

Comment 113 Jeremy West 2024-03-19 17:55:33 UTC
Created cri-o:1.23/cri-o tracking bugs for this issue:

Affects: fedora-38 [bug 2259818]

Comment 114 Jeremy West 2024-03-19 17:55:35 UTC
Created cri-o:1.24/cri-o tracking bugs for this issue:

Affects: fedora-38 [bug 2259820]

Comment 115 Jeremy West 2024-03-19 18:03:20 UTC
Created cri-o:1.25/cri-o tracking bugs for this issue:

Affects: fedora-38 [bug 2259822]

Comment 116 Jeremy West 2024-03-19 18:03:29 UTC
Created cri-o:1.22/cri-o tracking bugs for this issue:

Affects: fedora-38 [bug 2259816]

Comment 117 Jeremy West 2024-03-19 18:22:51 UTC
Created cri-o tracking bugs for this issue:

Affects: fedora-38 [bug 2259814]

Comment 118 Jeremy West 2024-03-19 18:23:00 UTC
Created pack tracking bugs for this issue:

Affects: epel-8 [bug 2259812]

Comment 119 Jeremy West 2024-03-19 19:34:32 UTC
Created cri-o:1.21/cri-o tracking bugs for this issue:

Affects: epel-8 [bug 2259810]

Comment 120 errata-xmlrpc 2024-03-22 16:04:15 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift GitOps 1.10

Via RHSA-2024:0692 https://access.redhat.com/errata/RHSA-2024:0692

Comment 121 errata-xmlrpc 2024-03-27 18:47:32 UTC
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Security 4.3

Via RHSA-2024:1549 https://access.redhat.com/errata/RHSA-2024:1549

Comment 122 errata-xmlrpc 2024-03-28 05:31:18 UTC
This issue has been addressed in the following products:

  OPENSHIFT-BUILDS-1.0-RHEL-8

Via RHSA-2024:1557 https://access.redhat.com/errata/RHSA-2024:1557

Comment 123 errata-xmlrpc 2024-04-25 15:14:47 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.12

Via RHSA-2024:1896 https://access.redhat.com/errata/RHSA-2024:1896

Comment 124 errata-xmlrpc 2024-04-26 12:38:37 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2024:1891 https://access.redhat.com/errata/RHSA-2024:1891

Comment 125 errata-xmlrpc 2024-05-01 01:10:45 UTC
This issue has been addressed in the following products:

  Red Hat Ceph Storage 6.1

Via RHSA-2024:2631 https://access.redhat.com/errata/RHSA-2024:2631

Comment 126 errata-xmlrpc 2024-05-02 16:37:25 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.13

Via RHSA-2024:2047 https://access.redhat.com/errata/RHSA-2024:2047

Comment 128 errata-xmlrpc 2024-06-13 14:24:26 UTC
This issue has been addressed in the following products:

  Red Hat Ceph Storage 7.1

Via RHSA-2024:3925 https://access.redhat.com/errata/RHSA-2024:3925

Comment 129 errata-xmlrpc 2024-06-26 10:01:44 UTC
This issue has been addressed in the following products:

  Red Hat Ceph Storage 5.3

Via RHSA-2024:4118 https://access.redhat.com/errata/RHSA-2024:4118

Comment 130 Borja Tarraso 2024-07-29 07:06:04 UTC
Add public comment to show this issue has been fixed within these erratas for OCP 4.16.0 after correcting missing CVE names from the original erratas:

https://access.redhat.com/errata/RHSA-2024:0040
https://access.redhat.com/errata/RHSA-2024:0041

Comment 131 errata-xmlrpc 2024-09-03 11:45:07 UTC
This issue has been addressed in the following products:

  OPENSHIFT-BUILDS-1.1-RHEL-8

Via RHSA-2024:6221 https://access.redhat.com/errata/RHSA-2024:6221

Comment 132 errata-xmlrpc 2024-10-31 03:37:26 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.15

Via RHSA-2024:8425 https://access.redhat.com/errata/RHSA-2024:8425


Note You need to log in before you can comment on or make changes to this bug.