Malicious Git Configuration Execution via go-getter Library
CVE-2024-6257

8.4HIGH

Key Information:

Vendor: Hashicorp
Status: Shared Library
Vendor: CVE Published:; 25 June 2024

What is CVE-2024-6257?

The Go-Getter library from HashiCorp is susceptible to a vulnerability that allows an attacker to manipulate the Git configuration, potentially leading to arbitrary code execution. By coercing the library into executing a Git update on a maliciously modified configuration, attackers can exploit this weakness to execute unwanted code within the user's environment. This issue underscores the importance of secure coding practices and vigilant configuration management to protect against such vulnerabilities.

Affected Version(s)

Shared library 64 bit 0 < 1.7.4

References

https://discuss.hashicorp.com/t/hcsec-2024-13-hashicorp-g...

CVSS V3.1

Score:

8.4

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 25, 2024
Vulnerability Reserved
Jun 21, 2024

Hashicorp

What is CVE-2024-6257?

Affected Version(s)

References

CVSS V3.1

Timeline