2294254 – (CVE-2024-6257) CVE-2024-6257 hashicorp/go-getter: Arbitrary command execution through local git config file

Bug 2294254 (CVE-2024-6257) - CVE-2024-6257 hashicorp/go-getter: Arbitrary command execution through local git config file

Summary: CVE-2024-6257 hashicorp/go-getter: Arbitrary command execution through local ...

Keywords:
Status:	NEW
Alias:	CVE-2024-6257
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2294256 2294255 2294257
Blocks:	2294258
TreeView+	depends on / blocked

Reported:	2024-06-25 19:06 UTC by Pedro Sampaio
Modified:	2024-10-29 08:27 UTC (History)
CC List:	9 users (show)
Fixed In Version:	go-getter 1.7.5
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description Pedro Sampaio 2024-06-25 19:06:54 UTC

HashiCorp’s go-getter library can be coerced into executing Git update on an existing maliciously modified Git Configuration, potentially leading to arbitrary code execution.

References:

https://discuss.hashicorp.com/t/hcsec-2024-13-hashicorp-go-getter-vulnerable-to-code-execution-on-git-update-via-git-config-manipulation/68081

Comment 1 Pedro Sampaio 2024-06-25 19:14:08 UTC

Created opentofu tracking bugs for this issue:

Affects: fedora-all [bug 2294255]


Created trivy tracking bugs for this issue:

Affects: fedora-all [bug 2294256]


Created vagrant tracking bugs for this issue:

Affects: fedora-all [bug 2294257]

Note You need to log in before you can comment on or make changes to this bug.