Bulletin ID: HCSEC-2024-13
Affected Products / Versions: go-getter up to 1.7.4; fixed in go-getter 1.7.5.
Publication Date: June 24, 2024
Summary
HashiCorp’s go-getter library can be coerced into executing Git update on an existing maliciously modified Git Configuration, potentially leading to arbitrary code execution. This vulnerability, CVE-2024-6257, was fixed in go-getter 1.7.5.
Background
HashiCorp’s go-getter is a library for Go for downloading files or directories from various sources using a URL as the primary form of input.
Details
When go-getter is performing a Git operation, go-getter will try to clone the given repository in a specified destination. Cloning initializes a git config to the provided destination and if the repository needs to get updated go-getter will pull the new changes .
An attacker may alter the Git config after the cloning step to set an arbitrary Git configuration to achieve code execution.
Remediation
Consumers of the go-getter library should evaluate the risk associated with these issues in the context of their go-getter usage and upgrade go-getter to 1.7.5 or later. The latest go-getter releases can be found at https://github.com/hashicorp/go-getter/releases.
Acknowledgement
This issue was identified by Kraken Security Labs.
We deeply appreciate any effort to coordinate disclosure of security vulnerabilities. For information about security at HashiCorp and the reporting of security vulnerabilities, please see https://hashicorp.com/security.