2275807 – (CVE-2024-3817) CVE-2024-3817 hashicorp/go-getter: argument injection when fetching remote default git branches

Bug 2275807 (CVE-2024-3817) - CVE-2024-3817 hashicorp/go-getter: argument injection when fetching remote default git branches

Summary: CVE-2024-3817 hashicorp/go-getter: argument injection when fetching remote de...

Keywords:
Status:	CLOSED NOTABUG
Alias:	CVE-2024-3817
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2275809 2275808
Blocks:
TreeView+	depends on / blocked

Reported:	2024-04-17 21:34 UTC by Robb Gatica
Modified:	2024-04-19 09:36 UTC (History)
CC List:	1 user (show)
Fixed In Version:	go-getter 1.7.4
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2024-04-19 09:36:25 UTC
Embargoed:

Attachments	(Terms of Use)

Description Robb Gatica 2024-04-17 21:34:14 UTC

Summary:
HashiCorp’s go-getter library is vulnerable to argument injection when executing Git to discover remote branches. This vulnerability does not affect the go-getter/v2 branch and package.

Affected Products / Versions: 
go-getter 1.5.9 up to 1.7.3; fixed in 1.7.4



https://discuss.hashicorp.com/t/hcsec-2024-09-hashicorp-go-getter-vulnerable-to-argument-injection-when-fetching-remote-default-git-branches/66040

Comment 1 Robb Gatica 2024-04-17 21:34:33 UTC

Created opentofu tracking bugs for this issue:

Affects: fedora-all [bug 2275808]


Created vagrant tracking bugs for this issue:

Affects: fedora-all [bug 2275809]

Comment 2 Vít Ondruch 2024-04-19 09:36:25 UTC

We are not using any Go functionality in Vagrant package.

Note You need to log in before you can comment on or make changes to this bug.