Malicious Git Configuration Execution via go-getter Library
CVE-2024-6257

8.4HIGH

Key Information:

Vendor: Hashicorp
Status: Shared Library
Vendor: CVE Published:; 25 June 2024

Summary

The Go-Getter library from HashiCorp is susceptible to a vulnerability that allows an attacker to manipulate the Git configuration, potentially leading to arbitrary code execution. By coercing the library into executing a Git update on a maliciously modified configuration, attackers can exploit this weakness to execute unwanted code within the user's environment. This issue underscores the importance of secure coding practices and vigilant configuration management to protect against such vulnerabilities.

Affected Version(s)

Shared library 64 bit 0 < 1.7.4

References

https://discuss.hashicorp.com/t/hcsec-2024-13-hashicorp-g...

CVSS V3.1

Score:

8.4

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Jun 25, 2024
Vulnerability Reserved
Jun 21, 2024

Collectors

NVD DatabaseMitre Database