Argument Injection Affecting github.com/hashicorp/go-getter package, versions >=1.5.9 <1.7.4
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-GOLANG-GITHUBCOMHASHICORPGOGETTER-6663928
- published 19 Apr 2024
- disclosed 17 Apr 2024
- credit Alessio Della Libera
Introduced: 17 Apr 2024
CVE-2024-3817 Open this link in a new tabHow to fix?
Upgrade github.com/hashicorp/go-getter to version 1.7.4 or higher.
Overview
github.com/hashicorp/go-getter is a Package for downloading things from a string URL using a variety of protocols.
Affected versions of this package are vulnerable to Argument Injection when the library is performing a Git operation, it will try to clone the given repository. If a Git reference is not passed along with the Git url, go-getter will then try to check the remote repository’s HEAD reference of its default branch by passing arguments to the Git binary on the host it is executing on. An attacker may format a Git URL in order to inject additional Git arguments to the Git call.
Note: This vulnerability does not affect the go-getter/v2 branch and package.