High severityNVD Advisory· Published Jun 25, 2024· Updated Aug 1, 2024
HashiCorp go-getter Vulnerable to Code Execution On Git Update Via Git Config Manipulation
CVE-2024-6257
Description
HashiCorp’s go-getter library can be coerced into executing Git update on an existing maliciously modified Git Configuration, potentially leading to arbitrary code execution.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/hashicorp/go-getterGo | < 1.7.5 | 1.7.5 |
Affected products
91- osv-coords90 versionspkg:apk/chainguard/conftestpkg:apk/chainguard/conftest-fipspkg:apk/chainguard/datadog-agentpkg:apk/chainguard/datadog-agent-core-integrationspkg:apk/chainguard/datadog-agent-core-integrations-fipspkg:apk/chainguard/datadog-agent-fakeintakepkg:apk/chainguard/datadog-agent-fakeintake-fipspkg:apk/chainguard/datadog-agent-fipspkg:apk/chainguard/datadog-agent-jmxpkg:apk/chainguard/datadog-agent-jmx-fipspkg:apk/chainguard/datadog-agent-oci-compatpkg:apk/chainguard/datadog-agent-oci-compat-fipspkg:apk/chainguard/datadog-agent-s6-overlaypkg:apk/chainguard/datadog-agent-s6-overlay-fipspkg:apk/chainguard/datadog-cluster-agentpkg:apk/chainguard/datadog-cluster-agent-fipspkg:apk/chainguard/datadog-cluster-agent-oci-compatpkg:apk/chainguard/datadog-cluster-agent-oci-compat-fipspkg:apk/chainguard/dogstatsdpkg:apk/chainguard/grypepkg:apk/chainguard/k9spkg:apk/chainguard/kotspkg:apk/chainguard/kots-compatpkg:apk/chainguard/kots-symlink-compatpkg:apk/chainguard/kubescapepkg:apk/chainguard/opentofupkg:apk/chainguard/opentofu-1.7pkg:apk/chainguard/opentofu-1.7-compatpkg:apk/chainguard/opentofu-1.7-local-provider-configpkg:apk/chainguard/opentofu-compatpkg:apk/chainguard/opentofu-local-provider-configpkg:apk/chainguard/snyk-clipkg:apk/chainguard/terraformpkg:apk/chainguard/terraform-compatpkg:apk/chainguard/terraform-fips-1.5pkg:apk/chainguard/terraform-fips-1.5-compatpkg:apk/chainguard/terraform-fips-1.5-local-provider-configpkg:apk/chainguard/terraform-local-provider-configpkg:apk/chainguard/terragruntpkg:apk/chainguard/terragrunt-docspkg:apk/chainguard/tflintpkg:apk/chainguard/tflint-compatpkg:apk/chainguard/tfsecpkg:apk/chainguard/trivypkg:apk/chainguard/trivy-fipspkg:apk/chainguard/wolfictlpkg:apk/chainguard/zarfpkg:apk/chainguard/zotpkg:apk/wolfi/conftestpkg:apk/wolfi/datadog-agentpkg:apk/wolfi/datadog-agent-core-integrationspkg:apk/wolfi/datadog-agent-fakeintakepkg:apk/wolfi/datadog-agent-jmxpkg:apk/wolfi/datadog-agent-oci-compatpkg:apk/wolfi/datadog-agent-s6-overlaypkg:apk/wolfi/datadog-cluster-agentpkg:apk/wolfi/datadog-cluster-agent-oci-compatpkg:apk/wolfi/dogstatsdpkg:apk/wolfi/grypepkg:apk/wolfi/k9spkg:apk/wolfi/kotspkg:apk/wolfi/kots-compatpkg:apk/wolfi/kots-symlink-compatpkg:apk/wolfi/kubescapepkg:apk/wolfi/opentofupkg:apk/wolfi/opentofu-1.7pkg:apk/wolfi/opentofu-1.7-compatpkg:apk/wolfi/opentofu-1.7-local-provider-configpkg:apk/wolfi/opentofu-compatpkg:apk/wolfi/opentofu-local-provider-configpkg:apk/wolfi/snyk-clipkg:apk/wolfi/terraformpkg:apk/wolfi/terraform-compatpkg:apk/wolfi/terraform-local-provider-configpkg:apk/wolfi/terragruntpkg:apk/wolfi/terragrunt-docspkg:apk/wolfi/tflintpkg:apk/wolfi/tflint-compatpkg:apk/wolfi/tfsecpkg:apk/wolfi/trivypkg:apk/wolfi/wolfictlpkg:apk/wolfi/zarfpkg:apk/wolfi/zotpkg:golang/github.com/hashicorp/go-getterpkg:rpm/opensuse/conftest&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/trivy&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/trivy&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/trivy&distro=openSUSE%20Tumbleweedpkg:rpm/suse/trivy&distro=SUSE%20Package%20Hub%2015%20SP5pkg:rpm/suse/trivy&distro=SUSE%20Package%20Hub%2015%20SP6
< 0.53.0-r1+ 89 more
- (no CPE)range: < 0.53.0-r1
- (no CPE)range: < 0.53.0-r1
- (no CPE)range: < 7.54.1-r1
- (no CPE)range: < 7.54.1-r1
- (no CPE)range: < 7.54.1-r1
- (no CPE)range: < 7.54.1-r1
- (no CPE)range: < 7.54.1-r1
- (no CPE)range: < 7.54.1-r1
- (no CPE)range: < 7.54.1-r1
- (no CPE)range: < 7.54.1-r1
- (no CPE)range: < 7.54.1-r1
- (no CPE)range: < 7.54.1-r1
- (no CPE)range: < 7.54.1-r1
- (no CPE)range: < 7.54.1-r1
- (no CPE)range: < 7.71.2-r3
- (no CPE)range: < 7.54.1-r1
- (no CPE)range: < 7.71.2-r3
- (no CPE)range: < 7.54.1-r1
- (no CPE)range: < 7.54.1-r1
- (no CPE)range: < 0.79.1-r1
- (no CPE)range: < 0.32.5-r1
- (no CPE)range: < 1.109.14-r1
- (no CPE)range: < 1.109.14-r1
- (no CPE)range: < 1.109.14-r1
- (no CPE)range: < 3.0.11-r3
- (no CPE)range: < 1.7.2-r3
- (no CPE)range: < 1.7.10-r6
- (no CPE)range: < 1.7.10-r6
- (no CPE)range: < 1.7.10-r6
- (no CPE)range: < 1.7.2-r3
- (no CPE)range: < 1.7.2-r3
- (no CPE)range: < 1.1291.1-r3
- (no CPE)range: < 1.5.7-r14
- (no CPE)range: < 1.5.7-r34
- (no CPE)range: < 1.5.7-r15
- (no CPE)range: < 1.5.7-r15
- (no CPE)range: < 1.5.7-r15
- (no CPE)range: < 1.5.7-r14
- (no CPE)range: < 0.59.5-r1
- (no CPE)range: < 0.59.5-r1
- (no CPE)range: < 0.51.1-r2
- (no CPE)range: < 0.51.1-r2
- (no CPE)range: < 1.28.6-r3
- (no CPE)range: < 0.52.2-r1
- (no CPE)range: < 0.52.2-r1
- (no CPE)range: < 0.19.0-r1
- (no CPE)range: < 0.35.0-r2
- (no CPE)range: < 2.0.4-r8
- (no CPE)range: < 0.53.0-r1
- (no CPE)range: < 7.54.1-r1
- (no CPE)range: < 7.54.1-r1
- (no CPE)range: < 7.54.1-r1
- (no CPE)range: < 7.54.1-r1
- (no CPE)range: < 7.54.1-r1
- (no CPE)range: < 7.54.1-r1
- (no CPE)range: < 7.71.2-r3
- (no CPE)range: < 7.71.2-r3
- (no CPE)range: < 7.54.1-r1
- (no CPE)range: < 0.79.1-r1
- (no CPE)range: < 0.32.5-r1
- (no CPE)range: < 1.109.14-r1
- (no CPE)range: < 1.109.14-r1
- (no CPE)range: < 1.109.14-r1
- (no CPE)range: < 3.0.11-r3
- (no CPE)range: < 1.7.2-r3
- (no CPE)range: < 1.7.10-r6
- (no CPE)range: < 1.7.10-r6
- (no CPE)range: < 1.7.10-r6
- (no CPE)range: < 1.7.2-r3
- (no CPE)range: < 1.7.2-r3
- (no CPE)range: < 1.1291.1-r3
- (no CPE)range: < 1.5.7-r14
- (no CPE)range: < 1.5.7-r34
- (no CPE)range: < 1.5.7-r14
- (no CPE)range: < 0.59.5-r1
- (no CPE)range: < 0.59.5-r1
- (no CPE)range: < 0.51.1-r2
- (no CPE)range: < 0.51.1-r2
- (no CPE)range: < 1.28.6-r3
- (no CPE)range: < 0.52.2-r1
- (no CPE)range: < 0.19.0-r1
- (no CPE)range: < 0.35.0-r2
- (no CPE)range: < 2.0.4-r8
- (no CPE)range: < 1.7.5
- (no CPE)range: < 0.54.0-1.1
- (no CPE)range: < 0.54.1-bp155.2.3.1
- (no CPE)range: < 0.54.1-bp156.2.3.1
- (no CPE)range: < 0.53.0-1.1
- (no CPE)range: < 0.54.1-bp155.2.3.1
- (no CPE)range: < 0.54.1-bp156.2.3.1
- HashiCorp/Shared libraryv5Range: 0
Patches
Vulnerability mechanics
References
4- github.com/advisories/GHSA-xfhp-jf8p-mh5wghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-6257ghsaADVISORY
- discuss.hashicorp.com/t/hcsec-2024-13-hashicorp-go-getter-vulnerable-to-code-execution-on-git-update-via-git-config-manipulation/68081ghsaWEB
- github.com/hashicorp/go-getter/commit/268c11cae8cf0d9374783e06572679796abe9ce9ghsaWEB
News mentions
0No linked articles in our index yet.