Maliciously crafted Git server replies can cause DoS on go-git clients
CVE-2023-49568

7.5HIGH

Key Information:

Vendor: go-git
Status: go-git
Vendor: CVE Published:; 12 January 2024

Summary

A denial of service vulnerability exists in go-git versions prior to v5.11, allowing attackers to exploit the system through specially crafted responses from a Git server. This attack can lead to resource exhaustion in go-git clients, affecting system performance and availability. Notably, applications that utilize only the in-memory filesystem provided by go-git remain unaffected. This issue is identified as a specific implementation vulnerability within go-git and does not impact the upstream Git command-line interface.

Affected Version(s)

go-git 5.11.0

References

https://github.com/go-git/go-git/security/advisories/GHSA...

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jan 12, 2024
Vulnerability Reserved
Nov 27, 2023

Credit

Ionuț Lalu