CVE-2023-49569

moderate-risk
Published 2024-01-12

A path traversal vulnerability was discovered in go-git versions prior to v5.11. This vulnerability allows an attacker to create and amend files across the filesystem. In the worse case scenario, remote code execution could be achieved. Applications are only affected if they are using the ChrootOS https://pkg.go.dev/github.com/go-git/go-billy/v5/osfs#ChrootOS , which is the default when using "Plain" versions of Open and Clone funcs (e.g. PlainClone). Applications using BoundOS https://pkg.go.dev/github.com/go-git/go-billy/v5/osfs#BoundOS  or in-memory filesystems are not affected by this issue. This is a go-git implementation issue and does not affect the upstream git cli.

Do I need to act?

~
4.0% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
+
Fix available
Upgrade to: 5d08d3bd94c65a3b6c25c6fba6907d12b0dac4ca
9
CVSS 9.8/10 Critical
NETWORK / LOW complexity

Affected Products (1)

Go-Git

Affected Vendors

Go-Git Project

References (2)

Vendor Advisory https://github.com/go-git/go-git/security/advisories/GHSA-449p-3h89-pw88
Vendor Advisory https://github.com/go-git/go-git/security/advisories/GHSA-449p-3h89-pw88
44
/ 100
moderate-risk
Severity 32/34 · Critical
Exploitability 7/34 · Low
Exposure 5/34 · Minimal