CVE-2024-3817 - OpenCVE

HashiCorp’s go-getter library is vulnerable to argument injection when executing Git to discover remote branches. This vulnerability does not affect the go-getter/v2 branch and package.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

No data.

No data.

References

Link	Resource
https://discuss.hashicorp.com/t/hcsec-2024-09-hashicorp-go-getter-vulnerable-to-argument-injection-when-fetching-remote-default-git-branches/66040

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: HashiCorp

Published: 2024-04-17T19:37:25.878Z

Updated: 2024-06-04T17:31:04.582Z

Reserved: 2024-04-15T14:04:27.869Z

Link: CVE-2024-3817

JSON object: View

NVD Information

Status : Awaiting Analysis

Published: 2024-04-17T20:15:08.383

Modified: 2024-04-18T13:04:28.900

Link: CVE-2024-3817

JSON object: View

Redhat Information

No data.

CWE

CWE-88

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-3817", "assignerOrgId": "67fedba0-ff2e-4543-ba5b-aa93e87718cc", "state": "PUBLISHED", "assignerShortName": "HashiCorp", "dateReserved": "2024-04-15T14:04:27.869Z", "datePublished": "2024-04-17T19:37:25.878Z", "dateUpdated": "2024-06-04T17:31:04.582Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "platforms": ["64 bit", "32 bit", "x86", "ARM", "MacOS", "Windows", "Linux"], "product": "Shared library", "repo": "https://github.com/hashicorp/go-getter", "vendor": "HashiCorp", "versions": [{"lessThan": "1.7.3", "status": "affected", "version": "1.5.9", "versionType": "semver"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>HashiCorp\u2019s go-getter library is vulnerable to argument injection when executing Git to discover remote branches. \n\nThis vulnerability does not affect the go-getter/v2 branch and package.</p><br/>"}], "value": "HashiCorp\u2019s go-getter library is vulnerable to argument injection when executing Git to discover remote branches. \n\nThis vulnerability does not affect the go-getter/v2 branch and package."}], "impacts": [{"capecId": "CAPEC-248", "descriptions": [{"lang": "en", "value": "CAPEC-248: Command Injection"}]}], "metrics": [{"cvssV3_1": {"baseScore": 9.8, "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-88", "description": "CWE-88: Improper Neutralization of Argument Delimiters in a Command (Argument Injection)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "67fedba0-ff2e-4543-ba5b-aa93e87718cc", "shortName": "HashiCorp", "dateUpdated": "2024-04-17T19:37:25.878Z"}, "references": [{"url": "https://discuss.hashicorp.com/t/hcsec-2024-09-hashicorp-go-getter-vulnerable-to-argument-injection-when-fetching-remote-default-git-branches/66040"}], "source": {"advisory": "HCSEC-2024-09", "discovery": "EXTERNAL"}, "title": "HashiCorp go-getter Vulnerable to Argument Injection When Fetching Remote Default Git Branches"}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-3817", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-04-23T16:09:26.407809Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:hashicorp:go-getter:1.5.9:*:*:*:*:*:*:*"], "vendor": "hashicorp", "product": "go-getter", "versions": [{"status": "affected", "version": "1.5.9", "lessThan": "1.7.3", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-04T17:31:04.582Z"}}]}}