Summary: HashiCorp’s go-getter library is vulnerable to argument injection when executing Git to discover remote branches. This vulnerability does not affect the go-getter/v2 branch and package. Affected Products / Versions: go-getter 1.5.9 up to 1.7.3; fixed in 1.7.4 https://discuss.hashicorp.com/t/hcsec-2024-09-hashicorp-go-getter-vulnerable-to-argument-injection-when-fetching-remote-default-git-branches/66040
Created opentofu tracking bugs for this issue: Affects: fedora-all [bug 2275808] Created vagrant tracking bugs for this issue: Affects: fedora-all [bug 2275809]
We are not using any Go functionality in Vagrant package.