CVE-2024-6257 HashiCorp go-getter Vulnerable to Code Execution On Git Update Via Git Config Manipulation

2024-06-2516:31:03

CWE-77

HashiCorp

www.cve.org

hashicorp

go-getter

library

cve-2024-6257

vulnerability

git update

code execution

git config manipulation

arbitrary code execution

8.4 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H

0.0004 Low

EPSS

Percentile

9.1%

JSON

HashiCorp’s go-getter library can be coerced into executing Git update on an existing maliciously modified Git Configuration, potentially leading to arbitrary code execution.

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "platforms": [
      "64 bit",
      "32 bit",
      "x86",
      "ARM",
      "MacOS",
      "Windows",
      "Linux"
    ],
    "product": "Shared library",
    "repo": "https://github.com/hashicorp/go-getter",
    "vendor": "HashiCorp",
    "versions": [
      {
        "lessThan": "1.7.4",
        "status": "affected",
        "version": "0",
        "versionType": "semver"
      }
    ]
  }
]