HCSEC-2024-13 - HashiCorp go-getter Vulnerable to Code Execution On Git Update Via Git Config Manipulation

Bulletin ID: HCSEC-2024-13
Affected Products / Versions: go-getter up to 1.7.4; fixed in go-getter 1.7.5.
Publication Date: June 24, 2024

HashiCorp’s go-getter library can be coerced into executing Git update on an existing maliciously modified Git Configuration, potentially leading to arbitrary code execution. This vulnerability, CVE-2024-6257, was fixed in go-getter 1.7.5.

HashiCorp’s go-getter is a library for Go for downloading files or directories from various sources using a URL as the primary form of input.

When go-getter is performing a Git operation, go-getter will try to clone the given repository in a specified destination. Cloning initializes a git config to the provided destination and if the repository needs to get updated go-getter will pull the new changes .

An attacker may alter the Git config after the cloning step to set an arbitrary Git configuration to achieve code execution.

Consumers of the go-getter library should evaluate the risk associated with these issues in the context of their go-getter usage and upgrade go-getter to 1.7.5 or later. The latest go-getter releases can be found at https://github.com/hashicorp/go-getter/releases.

This issue was identified by Kraken Security Labs.

We deeply appreciate any effort to coordinate disclosure of security vulnerabilities. For information about security at HashiCorp and the reporting of security vulnerabilities, please see https://hashicorp.com/security.