cbcvebase.
CVE-2023-49569
published 2024-01-12

CVE-2023-49569: A path traversal vulnerability was discovered in go-git versions prior to v5.11. This vulnerability allows an attacker to create and amend files across the…

PriorityP260critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
1.52%
71.5th percentile
A path traversal vulnerability was discovered in go-git versions prior to v5.11. This vulnerability allows an attacker to create and amend files across the filesystem. In the worse case scenario, remote code execution could be achieved. Applications are only affected if they are using the ChrootOS https://pkg.go.dev/github.com/go-git/go-billy/v5/osfs#ChrootOS , which is the default when using "Plain" versions of Open and Clone funcs (e.g. PlainClone). Applications using BoundOS https://pkg.go.dev/github.com/go-git/go-billy/v5/osfs#BoundOS or in-memory filesystems are not affected by this issue. This is a go-git implementation issue and does not affect the upstream git cli.

Affected

11 ranges
VendorProductVersion rangeFixed in
debiangolang-github-go-git-go-git< golang-github-go-git-go-git 5.11.0-1 (forky)golang-github-go-git-go-git 5.11.0-1 (forky)
github.comgo-git_go-git_v5>= 5.0.0 < 5.11.05.11.0
go-gitgo-git
go-git_projectgo-git>= 4.0.0 < 5.11.05.11.0
gopkg.insrc-d_go-git.v44.0.0 – 4.13.1
gopkg.insrc-d_go-git.v4>= 4.7.1
msrcazl3_packer_1.9.4-1_on_azure_linux_3.0
msrcazl3_packer_1.9.5-1_on_azure_linux_3.0
msrccbl2_cri-o_1.22.3-12_on_cbl_mariner_2.0
msrccbl2_packer_1.8.7-2_on_cbl_mariner_2.0
msrccbl2_packer_1.9.5-3_on_cbl_mariner_2.0

Detection & IOCsextracted from sources · hover to see the quote

  • Vulnerability is triggered when applications use ChrootOS (the default filesystem for 'Plain' variants of Open and Clone functions such as PlainClone) in go-git versions prior to v5.11; detect use of these APIs in code or dependency manifests
  • Applications using BoundOS or in-memory filesystems are NOT affected; use of BoundOS can be used as a detection/mitigation signal to confirm non-exposure
  • The vulnerability is exploitable via maliciously crafted Git server replies; monitor go-git client connections to untrusted/external Git servers as a risk indicator
  • Scan software bill of materials (SBOM) and Go module dependency files (go.mod/go.sum) for github.com/go-git/go-git/v5 versions prior to v5.11 to identify vulnerable deployments
  • ·Only go-git deployments using ChrootOS (the default for PlainOpen, PlainClone, etc.) are vulnerable; BoundOS and in-memory filesystem users are not affected
  • ·This is a go-git (Go library) implementation issue only; the upstream git CLI is not affected
  • ·In OpenShift Container Platform, the vulnerable package is used as a dependency in many components where the vulnerable function is not used, reducing impact to Low

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
osv9.8CRITICAL
vendor_debian9.8CRITICAL
vendor_msrc9.8CRITICAL
vendor_redhat9.8CRITICAL
vendor_ubuntu7.5HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.