CVE-2024-6257
published 2024-06-25CVE-2024-6257: HashiCorp’s go-getter library can be coerced into executing Git update on an existing maliciously modified Git Configuration, potentially leading to arbitrary…
PriorityP347high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
EPSS
0.97%
57.6th percentile
HashiCorp’s go-getter library can be coerced into executing Git update on an existing maliciously modified Git Configuration, potentially leading to arbitrary code execution.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | golang-github-hashicorp-go-getter | — | — |
| github.com | hashicorp_go-getter | >= 0 < 1.7.5 | 1.7.5 |
| hashicorp | go-getter | < 1.7.5 | 1.7.5 |
| hashicorp | shared_library | < 1.7.4 | 1.7.4 |
| msrc | cbl2_terraform_1.3.2-17_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_terraform_1.3.2-25_on_cbl_mariner_2.0 | — | — |
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
osv8.8HIGH
vendor_debian8.4HIGH
vendor_msrc8.4HIGH
vendor_redhat8.4HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
hashicorp/go-getter: Arbitrary command execution through local git config file
vendor_redhat·2024-06-25·CVSS 8.4
CVE-2024-6257 [HIGH] CWE-77 hashicorp/go-getter: Arbitrary command execution through local git config file
hashicorp/go-getter: Arbitrary command execution through local git config file
HashiCorp’s go-getter library can be coerced into executing Git update on an existing maliciously modified Git Configuration, potentially leading to arbitrary code execution.
Package: rhtap-contract-tenant/cli-v01 (Red Hat Trusted Application Pipeline) - Will not fix
Package: rhtap-contract-tenant/cli-v02 (Red Hat Trusted Application Pipeline) - Affected
Microsoft
HashiCorp go-getter Vulnerable to Code Execution On Git Update Via Git Config Manipulation
vendor_msrc·2024-06-11·CVSS 8.4
CVE-2024-6257 [HIGH] CWE-77 HashiCorp go-getter Vulnerable to Code Execution On Git Update Via Git Config Manipulation
HashiCorp go-getter Vulnerable to Code Execution On Git Update Via Git Config Manipulation
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.
Mariner: Mariner
HashiCorp: HashiCorp
Customer Action Required: Yes
Remediation: CBL
Debian
CVE-2024-6257: golang-github-hashicorp-go-getter - HashiCorp’s go-getter library can be coerced into executing Git update on an exi...
vendor_debian·2024·CVSS 8.4
CVE-2024-6257 [HIGH] CVE-2024-6257: golang-github-hashicorp-go-getter - HashiCorp’s go-getter library can be coerced into executing Git update on an exi...
HashiCorp’s go-getter library can be coerced into executing Git update on an existing maliciously modified Git Configuration, potentially leading to arbitrary code execution.
Scope: local
bookworm: open
bullseye: open
OSV
Code Execution on Git update in github.com/hashicorp/go-getter
osv·2024-06-28
CVE-2024-6257 Code Execution on Git update in github.com/hashicorp/go-getter
Code Execution on Git update in github.com/hashicorp/go-getter
A crafted request can execute Git update on an existing maliciously modified Git Configuration. This can potentially lead to arbitrary code execution. When performing a Git operation, the library will try to clone the given repository to a specified destination. Cloning initializes a git config in the provided destination. An attacker may alter the Git config after the cloning step to set an arbitrary Git configuration to achieve code execution.
OSV
HashiCorp go-getter Vulnerable to Code Execution On Git Update Via Git Config Manipulation
osv·2024-06-25
CVE-2024-6257 [HIGH] HashiCorp go-getter Vulnerable to Code Execution On Git Update Via Git Config Manipulation
HashiCorp go-getter Vulnerable to Code Execution On Git Update Via Git Config Manipulation
HashiCorp’s go-getter library can be coerced into executing Git update on an existing maliciously modified Git Configuration, potentially leading to arbitrary code execution. When go-getter is performing a Git operation, go-getter will try to clone the given repository in a specified destination. Cloning initializes a git config to the provided destination and if the repository needs to get updated go-getter will pull the new changes .
An attacker may alter the Git config after the cloning step to set an arbitrary Git configuration to achieve code execution.
GHSA
HashiCorp go-getter Vulnerable to Code Execution On Git Update Via Git Config Manipulation
ghsa·2024-06-25
CVE-2024-6257 [HIGH] CWE-77 HashiCorp go-getter Vulnerable to Code Execution On Git Update Via Git Config Manipulation
HashiCorp go-getter Vulnerable to Code Execution On Git Update Via Git Config Manipulation
HashiCorp’s go-getter library can be coerced into executing Git update on an existing maliciously modified Git Configuration, potentially leading to arbitrary code execution. When go-getter is performing a Git operation, go-getter will try to clone the given repository in a specified destination. Cloning initializes a git config to the provided destination and if the repository needs to get updated go-getter will pull the new changes .
An attacker may alter the Git config after the cloning step to set an arbitrary Git configuration to achieve code execution.
OSV
CVE-2024-6257: HashiCorp’s go-getter library can be coerced into executing Git update on an existing maliciously modified Git Configuration, potentially leading to a
osv·2024-06-25·CVSS 8.8
CVE-2024-6257 [HIGH] CVE-2024-6257: HashiCorp’s go-getter library can be coerced into executing Git update on an existing maliciously modified Git Configuration, potentially leading to a
HashiCorp’s go-getter library can be coerced into executing Git update on an existing maliciously modified Git Configuration, potentially leading to arbitrary code execution.
No detection rules found.
No public exploits indexed.
2024-06-25
Published