Git Injection Vulnerability Affects HashiCorp's go-getter Library
CVE-2024-3817

9.8CRITICAL

Key Information:

Vendor: Hashicorp
Status: Shared Library
Vendor: CVE Published:; 17 April 2024

Summary

HashiCorp's Go-Getter library contains a vulnerability that allows for argument injection during the process of executing Git commands to fetch remote branches. This security flaw exposes the system to potential exploitation by manipulating inputs, particularly in scenarios involving remote repository interactions. Importantly, this vulnerability does not affect versions located in the go-getter/v2 branch and package, making those iterations safer for users.

Affected Version(s)

Shared library 64 bit 1.5.9 < 1.7.3

References

https://discuss.hashicorp.com/t/hcsec-2024-09-hashicorp-g...

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Apr 17, 2024
Vulnerability Reserved
Apr 15, 2024

Collectors

NVD DatabaseMitre Database