HashiCorp has issued an urgent security advisory regarding a critical vulnerability within its widely used go-getter library that could allow attackers to inject malicious code during Git operations, potentially leading to the compromise of systems using the affected library.
The vulnerability tracked as CVE-2024-3817 with a CVSS score 9.8 stems from how go-getter handles Git URLs. When fetching the default branch of a remote Git repository, go-getter may execute the Git command with user-controllable arguments. This opens the possibility for attackers to inject malicious code into the Git command, potentially allowing them to gain remote control of affected systems.
As per the advisory, If a Git reference is not passed along with the Git url, go-getter will then try to check the remote repository’s HEAD reference of its default branch by passing arguments to the Git binary on the host it is executing on, an attacker may format a Git URL to inject additional Git arguments to the Git call.
The vulnerability is present in go-getter versions 1.5.9 through 1.7.3. Users are strongly advised to upgrade to version 1.7.4 or later, which includes a fix for this critical issue.
Any application or system using a vulnerable version of the go-getter library for Git operations could be susceptible to this exploit. Developers and system administrators need to assess their projects’ dependencies diligently to identify and address this vulnerability.
HashiCorp urges the following immediate actions to upgrade the go-getter library to version 1.7.4 or later as soon as possible.
