Upgrade go-git to > v.5.11 #431

davidsonff · 2024-01-11T20:46:10Z

go-git v4 is vulnerable to CVE-2023049569/CWE-22 - Path Traversal. Upgrading to v5.11 and above to mitigate this vulnerability.

davidsonff · 2024-01-11T20:47:49Z

Overview
Affected versions of this package are vulnerable to Path Traversal via malicious server replies. An attacker can create and amend files across the filesystem and potentially achieve remote code execution by sending crafted responses to the client.

Notes:

This is only exploitable if the client is using ChrootOS, which is the default for certain functions such as PlainClone.

Applications using BoundOS or in-memory filesystems are not affected by this issue.

Users running versions of go-git from v4 and above are recommended to upgrade to v5.11 in order to mitigate this vulnerability.

davidsonff · 2024-01-17T17:23:35Z

Submitted #435

niallnsec · 2024-01-30T22:42:35Z

Thanks for the PR @davidsonff !

This issue is now fixed in release v1.15.0

davidsonff added a commit to davidsonff/grule-rule-engine that referenced this issue Jan 17, 2024

Grule issue hyperjumptech#431. update go-git to v5.

6c03fa2

niallnsec pushed a commit that referenced this issue Jan 30, 2024

Fix issue #431: Update go-git to v5 to address RCE vulnerability

e4e90fe

niallnsec closed this as completed Jan 30, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Upgrade go-git to > v.5.11 #431

Upgrade go-git to > v.5.11 #431

davidsonff commented Jan 11, 2024

davidsonff commented Jan 11, 2024

davidsonff commented Jan 17, 2024

niallnsec commented Jan 30, 2024

Upgrade go-git to > v.5.11 #431

Upgrade go-git to > v.5.11 #431

Comments

davidsonff commented Jan 11, 2024

davidsonff commented Jan 11, 2024

davidsonff commented Jan 17, 2024

niallnsec commented Jan 30, 2024