Critical severityNVD Advisory· Published Apr 17, 2024· Updated Aug 1, 2024
HashiCorp go-getter Vulnerable to Argument Injection When Fetching Remote Default Git Branches
CVE-2024-3817
Description
HashiCorp’s go-getter library is vulnerable to argument injection when executing Git to discover remote branches.
This vulnerability does not affect the go-getter/v2 branch and package.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/hashicorp/go-getterGo | >= 1.5.9, < 1.7.4 | 1.7.4 |
Affected products
38- osv-coords37 versionspkg:apk/chainguard/conftestpkg:apk/chainguard/conftest-fipspkg:apk/chainguard/k9spkg:apk/chainguard/kubescapepkg:apk/chainguard/opentofupkg:apk/chainguard/opentofu-compatpkg:apk/chainguard/opentofu-local-provider-configpkg:apk/chainguard/terraformpkg:apk/chainguard/terraform-compatpkg:apk/chainguard/terraform-fips-1.5pkg:apk/chainguard/terraform-fips-1.5-compatpkg:apk/chainguard/terraform-fips-1.5-local-provider-configpkg:apk/chainguard/terraform-local-provider-configpkg:apk/chainguard/tflintpkg:apk/chainguard/tflint-compatpkg:apk/chainguard/tfsecpkg:apk/chainguard/zarfpkg:apk/chainguard/zotpkg:apk/wolfi/conftestpkg:apk/wolfi/k9spkg:apk/wolfi/kubescapepkg:apk/wolfi/opentofupkg:apk/wolfi/opentofu-compatpkg:apk/wolfi/opentofu-local-provider-configpkg:apk/wolfi/terraformpkg:apk/wolfi/terraform-compatpkg:apk/wolfi/terraform-local-provider-configpkg:apk/wolfi/tflintpkg:apk/wolfi/tflint-compatpkg:apk/wolfi/tfsecpkg:apk/wolfi/zarfpkg:apk/wolfi/zotpkg:golang/github.com/hashicorp/go-getterpkg:rpm/opensuse/trivy&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/trivy&distro=openSUSE%20Leap%2016.0pkg:rpm/opensuse/trivy&distro=openSUSE%20Tumbleweedpkg:rpm/suse/trivy&distro=SUSE%20Package%20Hub%2015%20SP6
< 0.52.0-r0+ 36 more
- (no CPE)range: < 0.52.0-r0
- (no CPE)range: < 0.52.0-r0
- (no CPE)range: < 0.32.4-r3
- (no CPE)range: < 3.0.9-r0
- (no CPE)range: < 1.7.0-r0
- (no CPE)range: < 1.7.0-r0
- (no CPE)range: < 1.7.0-r0
- (no CPE)range: < 1.5.7-r8
- (no CPE)range: < 1.5.7-r8
- (no CPE)range: < 1.5.7-r9
- (no CPE)range: < 1.5.7-r9
- (no CPE)range: < 1.5.7-r9
- (no CPE)range: < 1.5.7-r8
- (no CPE)range: < 0.51.0-r0
- (no CPE)range: < 0.51.0-r0
- (no CPE)range: < 1.28.5-r3
- (no CPE)range: < 0.33.1-r1
- (no CPE)range: < 2.0.4-r0
- (no CPE)range: < 0.52.0-r0
- (no CPE)range: < 0.32.4-r3
- (no CPE)range: < 3.0.9-r0
- (no CPE)range: < 1.7.0-r0
- (no CPE)range: < 1.7.0-r0
- (no CPE)range: < 1.7.0-r0
- (no CPE)range: < 1.5.7-r8
- (no CPE)range: < 1.5.7-r8
- (no CPE)range: < 1.5.7-r8
- (no CPE)range: < 0.51.0-r0
- (no CPE)range: < 0.51.0-r0
- (no CPE)range: < 1.28.5-r3
- (no CPE)range: < 0.33.1-r1
- (no CPE)range: < 2.0.4-r0
- (no CPE)range: >= 1.5.9, < 1.7.4
- (no CPE)range: < 0.58.2-bp156.2.6.1
- (no CPE)range: < 0.66.0-bp160.1.1
- (no CPE)range: < 0.58.2-1.1
- (no CPE)range: < 0.58.2-bp156.2.6.1
- HashiCorp/Shared libraryv5Range: 1.5.9
Patches
Vulnerability mechanics
References
4- github.com/advisories/GHSA-q64h-39hv-4cf7ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-3817ghsaADVISORY
- discuss.hashicorp.com/t/hcsec-2024-09-hashicorp-go-getter-vulnerable-to-argument-injection-when-fetching-remote-default-git-branches/66040ghsaWEB
- github.com/hashicorp/go-getter/commit/268c11cae8cf0d9374783e06572679796abe9ce9ghsaWEB
News mentions
0No linked articles in our index yet.