CVE-2023-49569

A path traversal vulnerability was discovered in go-git versions prior to v5.11. This vulnerability allows an attacker to create and amend files across the filesystem. In the worse case scenario, remote code execution could be achieved. Applications are only affected if they are using the ChrootOS https://pkg.go.dev/github.com/go-git/go-billy/v5/osfs#ChrootOS , which is the default when using "Plain" versions of Open and Clone funcs (e.g. PlainClone). Applications using BoundOS https://pkg.go.dev/github.com/go-git/go-billy/v5/osfs#BoundOS or in-memory filesystems are not affected by this issue. This is a go-git implementation issue and does not affect the upstream git cli.

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/go-git/go-git/security/advisories/GHSA-449p-3h89-pw88	Vendor Advisory
https://github.com/go-git/go-git/security/advisories/GHSA-449p-3h89-pw88	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:go-git_project:go-git:*:*:*:*:*:go:*:*

History

21 Nov 2024, 08:33

Type	Values Removed	Values Added
References	~~() https://github.com/go-git/go-git/security/advisories/GHSA-449p-3h89-pw88 - Vendor Advisory~~	() https://github.com/go-git/go-git/security/advisories/GHSA-449p-3h89-pw88 - Vendor Advisory

22 Jan 2024, 18:57

Type	Values Removed	Values Added
CPE		cpe:2.3:a:go-git_project:go-git::::::go::*
First Time		Go-git Project Go-git Project go-git
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 9.8
References	~~() https://github.com/go-git/go-git/security/advisories/GHSA-449p-3h89-pw88 -~~	() https://github.com/go-git/go-git/security/advisories/GHSA-449p-3h89-pw88 - Vendor Advisory

12 Jan 2024, 11:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-01-12 11:15

Updated : 2024-11-21 08:33

NVD link : CVE-2023-49569

Mitre link : CVE-2023-49569

CVE.ORG link : CVE-2023-49569

JSON object : View

Products Affected

go-git_project

go-git

CWE

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

{"id": "CVE-2023-49569", "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "cve-requests@bitdefender.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2024-01-12T11:15:13.250", "references": [{"url": "https://github.com/go-git/go-git/security/advisories/GHSA-449p-3h89-pw88", "tags": ["Vendor Advisory"], "source": "cve-requests@bitdefender.com"}, {"url": "https://github.com/go-git/go-git/security/advisories/GHSA-449p-3h89-pw88", "tags": ["Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "cve-requests@bitdefender.com", "description": [{"lang": "en", "value": "CWE-22"}]}], "descriptions": [{"lang": "en", "value": "A path traversal vulnerability was discovered in go-git versions prior to v5.11. This vulnerability allows an attacker to create and amend files across the filesystem. In the worse case scenario, remote code execution could be achieved.\n\nApplications are only affected if they are using the ChrootOS https://pkg.go.dev/github.com/go-git/go-billy/v5/osfs#ChrootOS , which is the default when using \"Plain\" versions of Open and Clone funcs (e.g. PlainClone). Applications using BoundOS https://pkg.go.dev/github.com/go-git/go-billy/v5/osfs#BoundOS \u00a0or in-memory filesystems are not affected by this issue.\nThis is a go-git\u00a0implementation issue and does not affect the upstream git\u00a0cli.\n\n\n"}, {"lang": "es", "value": "Se descubri\u00f3 una vulnerabilidad de path traversal en versiones de go-git anteriores a la v5.11. Esta vulnerabilidad permite a un atacante crear y modificar archivos en todo el sistema de archivos. En el peor de los casos, se podr\u00eda lograr la ejecuci\u00f3n remota de c\u00f3digo. Las aplicaciones solo se ven afectadas si usan ChrootOS https://pkg.go.dev/github.com/go-git/go-billy/v5/osfs#ChrootOS, que es el valor predeterminado cuando se usan versiones \"simples\" de Open y funciones de clonaci\u00f3n (por ejemplo, PlainClone). Las aplicaciones que utilizan BoundOS https://pkg.go.dev/github.com/go-git/go-billy/v5/osfs#BoundOS o sistemas de archivos en memoria no se ven afectados por este problema. Este es un problema de implementaci\u00f3n de go-git y no afecta el cli de git ascendente."}], "lastModified": "2024-11-21T08:33:34.583", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:go-git_project:go-git:*:*:*:*:*:go:*:*", "vulnerable": true, "matchCriteriaId": "61C9245F-61A4-4756-83B1-13CE56E28FF0", "versionEndExcluding": "5.11.0", "versionStartIncluding": "4.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "cve-requests@bitdefender.com"}