Vulnerabilites related to go-git - go-git
cve-2025-21614
Vulnerability from cvelistv5
Published
2025-01-06 16:20
Modified
2025-01-06 16:36
Severity ?
EPSS score ?
Summary
go-git is a highly extensible git implementation library written in pure Go. A denial of service (DoS) vulnerability was discovered in go-git versions prior to v5.13. This vulnerability allows an attacker to perform denial of service attacks by providing specially crafted responses from a Git server which triggers resource exhaustion in go-git clients. Users running versions of go-git from v4 and above are recommended to upgrade to v5.13 in order to mitigate this vulnerability.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/go-git/go-git/security/advisories/GHSA-r9px-m959-cxf4 | x_refsource_CONFIRM |
{ containers: { adp: [ { metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, }, { other: { content: { id: "CVE-2025-21614", options: [ { Exploitation: "none", }, { Automatable: "yes", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2025-01-06T16:34:38.131709Z", version: "2.0.3", }, type: "ssvc", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-770", description: "CWE-770 Allocation of Resources Without Limits or Throttling", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2025-01-06T16:36:35.796Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { product: "go-git", vendor: "go-git", versions: [ { status: "affected", version: ">= 4.0.0, < 5.13.0", }, ], }, ], descriptions: [ { lang: "en", value: "go-git is a highly extensible git implementation library written in pure Go. A denial of service (DoS) vulnerability was discovered in go-git versions prior to v5.13. This vulnerability allows an attacker to perform denial of service attacks by providing specially crafted responses from a Git server which triggers resource exhaustion in go-git clients. Users running versions of go-git from v4 and above are recommended to upgrade to v5.13 in order to mitigate this vulnerability.", }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-400", description: "CWE-400: Uncontrolled Resource Consumption", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2025-01-06T16:20:16.140Z", orgId: "a0819718-46f1-4df5-94e2-005712e83aaa", shortName: "GitHub_M", }, references: [ { name: "https://github.com/go-git/go-git/security/advisories/GHSA-r9px-m959-cxf4", tags: [ "x_refsource_CONFIRM", ], url: "https://github.com/go-git/go-git/security/advisories/GHSA-r9px-m959-cxf4", }, ], source: { advisory: "GHSA-r9px-m959-cxf4", discovery: "UNKNOWN", }, title: "go-git clients vulnerable to DoS via maliciously crafted Git server replies", }, }, cveMetadata: { assignerOrgId: "a0819718-46f1-4df5-94e2-005712e83aaa", assignerShortName: "GitHub_M", cveId: "CVE-2025-21614", datePublished: "2025-01-06T16:20:16.140Z", dateReserved: "2024-12-29T03:00:24.713Z", dateUpdated: "2025-01-06T16:36:35.796Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2025-21613
Vulnerability from cvelistv5
Published
2025-01-06 16:13
Modified
2025-01-06 16:45
Severity ?
EPSS score ?
Summary
go-git is a highly extensible git implementation library written in pure Go. An argument injection vulnerability was discovered in go-git versions prior to v5.13. Successful exploitation of this vulnerability could allow an attacker to set arbitrary values to git-upload-pack flags. This only happens when the file transport protocol is being used, as that is the only protocol that shells out to git binaries. This vulnerability is fixed in 5.13.0.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/go-git/go-git/security/advisories/GHSA-v725-9546-7q7m | x_refsource_CONFIRM |
{ containers: { adp: [ { metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, }, { other: { content: { id: "CVE-2025-21613", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "total", }, ], role: "CISA Coordinator", timestamp: "2025-01-06T16:38:34.120792Z", version: "2.0.3", }, type: "ssvc", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-88", description: "CWE-88 Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2025-01-06T16:45:02.671Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { product: "go-git", vendor: "go-git", versions: [ { status: "affected", version: ">= 4.0.0, < 5.13.0", }, ], }, ], descriptions: [ { lang: "en", value: "go-git is a highly extensible git implementation library written in pure Go. An argument injection vulnerability was discovered in go-git versions prior to v5.13. Successful exploitation of this vulnerability could allow an attacker to set arbitrary values to git-upload-pack flags. This only happens when the file transport protocol is being used, as that is the only protocol that shells out to git binaries. This vulnerability is fixed in 5.13.0.", }, ], metrics: [ { cvssV4_0: { attackComplexity: "LOW", attackRequirements: "PRESENT", attackVector: "NETWORK", baseScore: 9.2, baseSeverity: "CRITICAL", privilegesRequired: "NONE", subAvailabilityImpact: "NONE", subConfidentialityImpact: "NONE", subIntegrityImpact: "NONE", userInteraction: "NONE", vectorString: "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/U:Clear", version: "4.0", vulnAvailabilityImpact: "HIGH", vulnConfidentialityImpact: "HIGH", vulnIntegrityImpact: "HIGH", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-88", description: "CWE-88: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2025-01-06T16:13:10.611Z", orgId: "a0819718-46f1-4df5-94e2-005712e83aaa", shortName: "GitHub_M", }, references: [ { name: "https://github.com/go-git/go-git/security/advisories/GHSA-v725-9546-7q7m", tags: [ "x_refsource_CONFIRM", ], url: "https://github.com/go-git/go-git/security/advisories/GHSA-v725-9546-7q7m", }, ], source: { advisory: "GHSA-v725-9546-7q7m", discovery: "UNKNOWN", }, title: "go-git has an Argument Injection via the URL field", }, }, cveMetadata: { assignerOrgId: "a0819718-46f1-4df5-94e2-005712e83aaa", assignerShortName: "GitHub_M", cveId: "CVE-2025-21613", datePublished: "2025-01-06T16:13:10.611Z", dateReserved: "2024-12-29T03:00:24.713Z", dateUpdated: "2025-01-06T16:45:02.671Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2023-49568
Vulnerability from cvelistv5
Published
2024-01-12 10:36
Modified
2024-08-02 22:01
Severity ?
EPSS score ?
Summary
A denial of service (DoS) vulnerability was discovered in go-git versions prior to v5.11. This vulnerability allows an attacker to perform denial of service attacks by providing specially crafted responses from a Git server which triggers resource exhaustion in go-git clients.
Applications using only the in-memory filesystem supported by go-git are not affected by this vulnerability.
This is a go-git implementation issue and does not affect the upstream git cli.
References
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T22:01:25.669Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://github.com/go-git/go-git/security/advisories/GHSA-mw99-9chc-xw7r", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "go-git", vendor: "go-git", versions: [ { status: "affected", version: "5.11.0", }, ], }, ], credits: [ { lang: "en", type: "finder", user: "00000000-0000-4000-9000-000000000000", value: "Ionuț Lalu", }, ], datePublic: "2024-01-12T10:16:00.000Z", descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "<p>A denial of service (DoS) vulnerability was discovered in go-git versions prior to <code>v5.11</code>. This vulnerability allows an attacker to perform denial of service attacks by providing specially crafted responses from a Git server which triggers resource exhaustion in <code>go-git</code> clients.</p><p>Applications using only the in-memory filesystem supported by <code>go-git</code> are not affected by this vulnerability.<br>This is a <code>go-git</code> implementation issue and does not affect the upstream <code>git</code> cli.</p><br>", }, ], value: "A denial of service (DoS) vulnerability was discovered in go-git versions prior to v5.11. This vulnerability allows an attacker to perform denial of service attacks by providing specially crafted responses from a Git server which triggers resource exhaustion in go-git clients.\n\nApplications using only the in-memory filesystem supported by go-git are not affected by this vulnerability.\nThis is a go-git implementation issue and does not affect the upstream git cli.\n\n\n", }, ], impacts: [ { capecId: "CAPEC-130", descriptions: [ { lang: "en", value: "CAPEC-130 Excessive Allocation", }, ], }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, format: "CVSS", scenarios: [ { lang: "en", value: "GENERAL", }, ], }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-20", description: "CWE-20 Improper Input Validation", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2024-01-12T10:36:12.727Z", orgId: "b3d5ebe7-963e-41fb-98e1-2edaeabb8f82", shortName: "Bitdefender", }, references: [ { url: "https://github.com/go-git/go-git/security/advisories/GHSA-mw99-9chc-xw7r", }, ], solutions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "An upgrade to v. 5.11 fixes this issue<br>", }, ], value: "An upgrade to v. 5.11 fixes this issue\n", }, ], source: { advisory: "GHSA-mw99-9chc-xw7r", discovery: "EXTERNAL", }, title: "Maliciously crafted Git server replies can cause DoS on go-git clients", x_generator: { engine: "Vulnogram 0.1.0-dev", }, }, }, cveMetadata: { assignerOrgId: "b3d5ebe7-963e-41fb-98e1-2edaeabb8f82", assignerShortName: "Bitdefender", cveId: "CVE-2023-49568", datePublished: "2024-01-12T10:36:12.727Z", dateReserved: "2023-11-27T14:21:51.157Z", dateUpdated: "2024-08-02T22:01:25.669Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2023-49569
Vulnerability from cvelistv5
Published
2024-01-12 10:41
Modified
2024-11-14 14:34
Severity ?
EPSS score ?
Summary
A path traversal vulnerability was discovered in go-git versions prior to v5.11. This vulnerability allows an attacker to create and amend files across the filesystem. In the worse case scenario, remote code execution could be achieved.
Applications are only affected if they are using the ChrootOS https://pkg.go.dev/github.com/go-git/go-billy/v5/osfs#ChrootOS , which is the default when using "Plain" versions of Open and Clone funcs (e.g. PlainClone). Applications using BoundOS https://pkg.go.dev/github.com/go-git/go-billy/v5/osfs#BoundOS or in-memory filesystems are not affected by this issue.
This is a go-git implementation issue and does not affect the upstream git cli.
References
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T22:01:25.499Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://github.com/go-git/go-git/security/advisories/GHSA-449p-3h89-pw88", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2023-49569", options: [ { Exploitation: "none", }, { Automatable: "yes", }, { "Technical Impact": "total", }, ], role: "CISA Coordinator", timestamp: "2024-01-18T19:36:00.641066Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-11-14T14:34:02.845Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "go-git", vendor: "go-git", versions: [ { status: "affected", version: "5.11.0", }, ], }, ], credits: [ { lang: "en", type: "finder", user: "00000000-0000-4000-9000-000000000000", value: "Ionuț Lalu", }, ], datePublic: "2024-01-12T10:40:00.000Z", descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "<p>A path traversal vulnerability was discovered in go-git versions prior to <code>v5.11</code>. This vulnerability allows an attacker to create and amend files across the filesystem. In the worse case scenario, remote code execution could be achieved.</p><p>Applications are only affected if they are using the <a target=\"_blank\" rel=\"nofollow\" href=\"https://pkg.go.dev/github.com/go-git/go-billy/v5/osfs#ChrootOS\">ChrootOS</a>, which is the default when using \"Plain\" versions of Open and Clone funcs (e.g. PlainClone). Applications using <a target=\"_blank\" rel=\"nofollow\" href=\"https://pkg.go.dev/github.com/go-git/go-billy/v5/osfs#BoundOS\">BoundOS</a> or in-memory filesystems are not affected by this issue.<br>This is a <code>go-git</code> implementation issue and does not affect the upstream <code>git</code> cli.</p><br>", }, ], value: "A path traversal vulnerability was discovered in go-git versions prior to v5.11. This vulnerability allows an attacker to create and amend files across the filesystem. In the worse case scenario, remote code execution could be achieved.\n\nApplications are only affected if they are using the ChrootOS https://pkg.go.dev/github.com/go-git/go-billy/v5/osfs#ChrootOS , which is the default when using \"Plain\" versions of Open and Clone funcs (e.g. PlainClone). Applications using BoundOS https://pkg.go.dev/github.com/go-git/go-billy/v5/osfs#BoundOS or in-memory filesystems are not affected by this issue.\nThis is a go-git implementation issue and does not affect the upstream git cli.\n\n\n", }, ], impacts: [ { capecId: "CAPEC-126", descriptions: [ { lang: "en", value: "CAPEC-126 Path Traversal", }, ], }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, format: "CVSS", scenarios: [ { lang: "en", value: "GENERAL", }, ], }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-22", description: "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2024-01-12T10:41:00.201Z", orgId: "b3d5ebe7-963e-41fb-98e1-2edaeabb8f82", shortName: "Bitdefender", }, references: [ { url: "https://github.com/go-git/go-git/security/advisories/GHSA-449p-3h89-pw88", }, ], solutions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "An update to version 5.11 fixes the issue", }, ], value: "An update to version 5.11 fixes the issue", }, ], source: { advisory: "GHSA-449p-3h89-pw88", discovery: "EXTERNAL", }, title: "Maliciously crafted Git server replies can lead to path traversal and RCE on go-git clients", x_generator: { engine: "Vulnogram 0.1.0-dev", }, }, }, cveMetadata: { assignerOrgId: "b3d5ebe7-963e-41fb-98e1-2edaeabb8f82", assignerShortName: "Bitdefender", cveId: "CVE-2023-49569", datePublished: "2024-01-12T10:41:00.201Z", dateReserved: "2023-11-27T14:21:51.157Z", dateUpdated: "2024-11-14T14:34:02.845Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }