GHSA-w5pp-99ch-qj29
ADVISORY - githubSummary
Impact
Several denial-of-service issues were identified in go-git when parsing maliciously crafted Git repository data.
An attacker may craft a malicious .pack, .idx or loose objects that causes an application using an affected version of go-git to panic or consume excessive resources.
This can lead to denial of service in applications that use go-git to clone, fetch, open, or otherwise process untrusted repositories or Git object data.
Exploitation requires the ability to alter read-only files such as .pack or .idx from the local repository's .git/objects/pack/ directory. Alternatively, the user would need to be interacting with a malicious remote server, which is not recommended and exposes users to a broader class of security risks beyond this issue.
Patches
Users should upgrade to a patched version in order to mitigate this vulnerability. Versions prior to v5 are likely to be affected, users are recommended to upgrade to a supported go-git version.
Credits
go-git thanks @kodareef5, @AyushParkara and @N0zoM1z0 for reporting this in four separate reports. 🙇
Common Weakness Enumeration (CWE)
Uncontrolled Resource Consumption
GitHub
2.8
CVSS SCORE
6.5mediumminimos
MINI-29rc-v9c3-5v8c
-
minimos
MINI-38vp-v757-37pf
-
minimos
MINI-43gc-58g5-7vwh
-
minimos
MINI-53c4-p9ph-qr9r
-
minimos
MINI-547g-phwp-3977
-
minimos
MINI-5qc4-g8fm-2368
-
minimos
MINI-5qvw-vc3x-vpjc
-
minimos
MINI-623f-xffw-6qp4
-
minimos
MINI-7485-rcp2-vg63
-
minimos
MINI-78gw-93v4-6f69
-
minimos
MINI-7h2p-79rr-43fc
-
minimos
MINI-86g8-h2cg-3fc3
-
minimos
MINI-8873-f57v-57h3
-
minimos
MINI-8xgm-vg4x-qh2c
-
minimos
MINI-9gcw-2c8j-fc65
-
minimos
MINI-9qpg-c856-29f4
-
minimos
MINI-9vx7-5qv6-q3q6
-
minimos
MINI-cf75-cr2p-wwfh
-
minimos
MINI-cm77-rrq5-rm45
-
minimos
MINI-f9g9-4v39-c9rc
-
minimos
MINI-ff8g-c3r7-5w2x
-
minimos
MINI-fv3p-q8hm-v38r
-
minimos
MINI-fw6m-32vp-rrgw
-
minimos
MINI-g4vf-mch7-385w
-
minimos
MINI-grp5-9rr6-f793
-
minimos
MINI-h9xc-rx9w-4prj
-
minimos
MINI-hvmm-x775-x8g5
-
minimos
MINI-j5wj-f2qq-3qq6
-
minimos
MINI-jcq2-5p9q-79c6
-
minimos
MINI-jgm5-m4rf-wf64
-
minimos
MINI-m8rh-cpx6-qx3m
-
minimos
MINI-mgr2-626v-wxw4
-
minimos
MINI-p3c6-3p53-266f
-
minimos
MINI-pc3c-7f7j-7v38
-
minimos
MINI-qf7g-v3v8-39mp
-
minimos
MINI-qwrr-x5wx-59q5
-
minimos
MINI-r7x9-48g6-6rhm
-
minimos
MINI-v4fc-5p3j-h9v5
-
minimos
MINI-v7mq-7x27-xxhm
-
minimos
MINI-vhj9-29v4-95v6
-
minimos
MINI-whmf-x4w4-6gqj
-
minimos
MINI-xqp7-57wc-2vcj
-
minimos
MINI-xwr2-3c5j-9vf4
-