CVE-2024-3817Argument Injection in Shared Library

CWE-88Argument Injection11 documents7 sources
Severity
9.8CRITICALNVD
EPSS
2.1%
top 15.80%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Hashicorp Shared LibraryGithub.com Hashicorp Go-getterHashicorp Go-getter
Timeline
PublishedApr 17
Latest updateJul 15

Description

HashiCorp’s go-getter library is vulnerable to argument injection when executing Git to discover remote branches. This vulnerability does not affect the go-getter/v2 branch and package.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages3 packages

NVDhashicorp/go-getter1.5.91.7.4
Gogithub.com/hashicorp_go-getter1.5.91.7.4
CVEListV5hashicorp/shared_library1.5.91.7.3

🔴Vulnerability Details

5
OSV
Argument injection when fetching remote default Git branches in github.com/hashicorp/go-getter2024-05-10
GHSA
HashiCorp go-getter Vulnerable to Argument Injection When Fetching Remote Default Git Branches2024-04-17
OSV
HashiCorp go-getter Vulnerable to Argument Injection When Fetching Remote Default Git Branches2024-04-17
OSV
CVE-2024-3817: HashiCorp’s go-getter library is vulnerable to argument injection when executing Git to discover remote branches2024-04-17
CVEList
HashiCorp go-getter Vulnerable to Argument Injection When Fetching Remote Default Git Branches2024-04-17

📋Vendor Advisories

5
Oracle
Oracle Oracle JD Edwards Risk Matrix: Enterprise Infrastructure SEC (OpenSSL) — CVE-2023-38172024-07-15
Oracle
Oracle Oracle Analytics Risk Matrix: Installation (OpenSSL) — CVE-2023-38172024-04-15
Microsoft
HashiCorp go-getter Vulnerable to Argument Injection When Fetching Remote Default Git Branches2024-04-09
Oracle
Oracle Oracle Fusion Middleware Risk Matrix: SSL Module (OpenSSL) — CVE-2023-38172024-01-15
Debian
CVE-2024-3817: golang-github-hashicorp-go-getter - HashiCorp’s go-getter library is vulnerable to argument injection when executing...2024
CVE-2024-3817 — Argument Injection in Shared Library | cvebase