-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| gopkg.in/src-d/go-git.v4 | go | >= 4.0.0, <= 4.13.1 | |
| github.com/go-git/go-git/v5 | go | < 5.13.0 | 5.13.0 |
GoGoMiggo AIRoot Cause AnalysisThe vulnerability is an argument injection in go-git when using the file transport protocol. The advisory mentions that versions prior to v5.13 are affected. I compared versions v5.12.0 and v5.13.0 and found a commit 9550dfab10f009362b4921bc7f45996d9ff6ce5e with the message 'plumbing: transport/file, Change paths to absolute'. This commit modifies the parseFile function in plumbing/transport/common.go. The change involves using filepath.Abs(endpoint) to sanitize the input endpoint before using it as a path. This directly addresses the argument injection vulnerability by ensuring the path is absolute and less susceptible to manipulation that could lead to command argument injection. The parseFile function is responsible for handling the URL when the file protocol is specified, making it the entry point for the vulnerability. The affected packages include both v4 and v5 of go-git, and the identified function and its vulnerability apply to both.
Ongoing coverage of React2Shell