CVE-2023-49569 — Path Traversal in Go-git Go-git V5
Severity
9.8CRITICALNVD
OSV7.5
EPSS
4.0%
top 11.50%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedJan 12
Latest updateMar 12
Description
A path traversal vulnerability was discovered in go-git versions prior to v5.11. This vulnerability allows an attacker to create and amend files across the filesystem. In the worse case scenario, remote code execution could be achieved.
Applications are only affected if they are using the ChrootOS https://pkg.go.dev/github.com/go-git/go-billy/v5/osfs#ChrootOS , which is the default when using "Plain" versions of Open and Clone funcs (e.g. PlainClone). Applications using BoundOS https://pkg.go.d…
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9
Affected Packages10 packages
🔴Vulnerability Details
5OSV▶
CVE-2023-49569: A path traversal vulnerability was discovered in go-git versions prior to v5↗2024-01-12
GHSA▶
Maliciously crafted Git server replies can lead to path traversal and RCE on go-git clients↗2024-01-10
OSV▶
Maliciously crafted Git server replies can lead to path traversal and RCE on go-git clients↗2024-01-10
📋Vendor Advisories
4Red Hat▶
go-git: Maliciously crafted Git server replies can lead to path traversal and RCE on go-git clients↗2024-01-09
Microsoft▶
Maliciously crafted Git server replies can lead to path traversal and RCE on go-git clients↗2024-01-09
Debian▶
CVE-2023-49569: golang-github-go-git-go-git - A path traversal vulnerability was discovered in go-git versions prior to v5.11....↗2023