Sign In

CVE-2023-49569

ADVISORY - github

Summary

Impact

A path traversal vulnerability was discovered in go-git versions prior to v5.11. This vulnerability allows an attacker to create and amend files across the filesystem. In the worse case scenario, remote code execution could be achieved.

Applications are only affected if they are using the ChrootOS, which is the default when using "Plain" versions of Open and Clone funcs (e.g. PlainClone). Applications using BoundOS or in-memory filesystems are not affected by this issue. This is a go-git implementation issue and does not affect the upstream git cli.

Patches

Users running versions of go-git from v4 and above are recommended to upgrade to v5.11 in order to mitigate this vulnerability.

Workarounds

In cases where a bump to the latest version of go-git is not possible in a timely manner, we recommend limiting its use to only trust-worthy Git servers.

Credit

Thanks to Ionut Lalu for responsibly disclosing this vulnerability to us.

EPSS Score: 0.04027 (0.880)

Common Weakness Enumeration (CWE)

ADVISORY - nist

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

ADVISORY - github

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

ADVISORY - gitlab

CWE-1035

OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CWE-352

Cross-Site Request Forgery (CSRF)

CWE-937

OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities

ADVISORY - redhat

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Impacted images

Advisories

NIST

CREATED

UPDATED

ADVISORY IDCVE-2023-49569
EXPLOITABILITY SCORE

3.9

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)
CWE-22

CVSS SCORE

9.8critical

GitHub

CREATED

UPDATED

ADVISORY IDGHSA-449p-3h89-pw88
EXPLOITABILITY SCORE

3.9

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)
CWE-22

CVSS SCORE

9.8critical

Debian

CREATED

UPDATED

ADVISORY IDCVE-2023-49569
EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
RATING UNAVAILABLE FROM ADVISORY

Ubuntu

CREATED

UPDATED

ADVISORY IDCVE-2023-49569
EXPLOITABILITY SCORE

3.9

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-

CVSS SCORE

9.8medium

GoLang

CREATED

UPDATED

ADVISORY IDGO-2024-2456
EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
RATING UNAVAILABLE FROM ADVISORY

GitLab

CREATED

UPDATED

ADVISORY ID

CVE-2023-49569

EXPLOITABILITY SCORE

3.9

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)
CWE-1035CWE-22CWE-352CWE-937

CVSS SCORE

9.8critical

Amazon

CREATED

UPDATED

ADVISORY IDALAS-2024-1920
EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-

CVSS SCORE

N/Ahigh

Amazon

CREATED

UPDATED

ADVISORY IDALAS2-2024-2458
EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-

CVSS SCORE

N/Ahigh

Amazon

CREATED

UPDATED

ADVISORY IDALAS2023-2024-526
EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-

CVSS SCORE

N/Ahigh

Red Hat

CREATED

UPDATED

ADVISORY IDCVE-2023-49569
EXPLOITABILITY SCORE

2.2

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)
CWE-22

CVSS SCORE

8.1critical

Chainguard

CREATED

UPDATED

ADVISORY ID

CGA-3cxh-xvcg-8cqx

EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
RATING UNAVAILABLE FROM ADVISORY

Chainguard

CREATED

UPDATED

ADVISORY ID

CGA-4cgv-xfqx-4qw7

EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
RATING UNAVAILABLE FROM ADVISORY

Chainguard

CREATED

UPDATED

ADVISORY ID

CGA-5x2r-h3qx-fjxx

EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
RATING UNAVAILABLE FROM ADVISORY

Chainguard

CREATED

UPDATED

ADVISORY ID

CGA-654q-q25g-gvhg

EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
RATING UNAVAILABLE FROM ADVISORY

Chainguard

CREATED

UPDATED

ADVISORY ID

CGA-86cr-2hfv-mg62

EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
RATING UNAVAILABLE FROM ADVISORY

Chainguard

CREATED

UPDATED

ADVISORY ID

CGA-fr8h-j77f-mq45

EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
RATING UNAVAILABLE FROM ADVISORY

Chainguard

CREATED

UPDATED

ADVISORY ID

CGA-hr3v-vqm4-qqm2

EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
RATING UNAVAILABLE FROM ADVISORY

Chainguard

CREATED

UPDATED

ADVISORY ID

CGA-hv74-jj3q-g3wr

EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
RATING UNAVAILABLE FROM ADVISORY

Chainguard

CREATED

UPDATED

ADVISORY ID

CGA-m4hm-524x-wxh4

EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
RATING UNAVAILABLE FROM ADVISORY

Chainguard

CREATED

UPDATED

ADVISORY ID

CGA-vmvv-wj22-w427

EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
RATING UNAVAILABLE FROM ADVISORY

Chainguard

CREATED

UPDATED

ADVISORY ID

CGA-w79c-92j3-wr43

EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
RATING UNAVAILABLE FROM ADVISORY

Chainguard

CREATED

UPDATED

ADVISORY ID

CGA-w99w-qr69-jr2r

EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
RATING UNAVAILABLE FROM ADVISORY