Miggo Logo

CVE-2024-3817: HashiCorp go-getter Vulnerable to Argument Injection When Fetching Remote Default Git Branches

9.8

CVSS Score
3.1

Basic Information

EPSS Score
0.37381%
Published
4/17/2024
Updated
4/28/2024
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
github.com/hashicorp/go-gettergo>= 1.5.9, < 1.7.41.7.4

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability description states that an attacker can format a Git URL to inject additional Git arguments. The provided commit 268c11cae8cf0d9374783e06572679796abe9ce9 patches this by adding "--" before the URL argument in git commands. This "--" argument tells git to treat all subsequent arguments as positional arguments (like filenames or URLs) and not as options, even if they start with a dash. The functions clone and findRemoteDefaultBranch in get_git.go were modified in this way. Therefore, these functions were previously vulnerable to argument injection because they passed user-controlled URLs directly to git commands without this safeguard.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W**n *o-**tt*r is p*r*ormin* * *it op*r*tion, *o-**tt*r will try to *lon* t** *iv*n r*pository. I* * *it r***r*n** is not p*ss** *lon* wit* t** *it url, *o-**tt*r will t**n try to ****k t** r*mot* r*pository’s **** r***r*n** o* its ****ult *r*n** *y

Reasoning

T** vuln*r**ility **s*ription st*t*s t**t *n *tt**k*r **n *orm*t * *it URL to inj**t ***ition*l *it *r*um*nts. T** provi*** *ommit `****************************************` p*t***s t*is *y ***in* `"--"` ***or* t** URL *r*um*nt in `*it` *omm*n*s. T*i