9.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-3817

GHSA ID

GHSA-q64h-39hv-4cf7

EPSS Score

0.37381%

CWE

CWE-88

Published

4/17/2024

Updated

4/28/2024

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-3817

CVE-2024-3817: HashiCorp go-getter Vulnerable to Argument Injection When Fetching Remote Default Git Branches

When go-getter is performing a Git operation, go-getter will try to clone the given repository. If a Git reference is not passed along with the Git url, go-getter will then try to check the remote repository’s HEAD reference of its default branch by passing arguments to the Git binary on the host it is executing on.

An attacker may format a Git URL in order to inject additional Git arguments to the Git call.

Consumers of the go-getter library should evaluate the risk associated with these issues in the context of their go-getter usage and upgrade go-getter to 1.7.4 or later.

(GitHub Advisory)

9.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-3817

GHSA ID

GHSA-q64h-39hv-4cf7

EPSS Score

0.37381%

CWE

CWE-88

Published

4/17/2024

Updated

4/28/2024

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/hashicorp/go-getter	go	>= 1.5.9, < 1.7.4	1.7.4

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability description states that an attacker can format a Git URL to inject additional Git arguments. The provided commit 268c11cae8cf0d9374783e06572679796abe9ce9 patches this by adding "--" before the URL argument in git commands. This "--" argument tells git to treat all subsequent arguments as positional arguments (like filenames or URLs) and not as options, even if they start with a dash. The functions clone and findRemoteDefaultBranch in get_git.go were modified in this way. Therefore, these functions were previously vulnerable to argument injection because they passed user-controlled URLs directly to git commands without this safeguard.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W**n *o-**tt*r is p*r*ormin* * *it op*r*tion, *o-**tt*r will try to *lon* t** *iv*n r*pository. I* * *it r***r*n** is not p*ss** *lon* wit* t** *it url, *o-**tt*r will t**n try to ****k t** r*mot* r*pository’s **** r***r*n** o* its ****ult *r*n** *y

Reasoning

T** vuln*r**ility **s*ription st*t*s t**t *n *tt**k*r **n *orm*t * *it URL to inj**t ***ition*l *it *r*um*nts. T** provi*** *ommit `****************************************` p*t***s t*is *y ***in* `"--"` ***or* t** URL *r*um*nt in `*it` *omm*n*s. T*i

9.8

Basic Information

Concerned about an active attack path?

CVE-2024-3817: HashiCorp go-getter Vulnerable to Argument Injection When Fetching Remote Default Git Branches

9.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI