3 results (0.007 seconds)

CVSS: 8.4EPSS: 0%CPEs: 1EXPL: 0

HashiCorp’s go-getter library can be coerced into executing Git update on an existing maliciously modified Git Configuration, potentially leading to arbitrary code execution. • https://discuss.hashicorp.com/t/hcsec-2024-13-hashicorp-go-getter-vulnerable-to-code-execution-on-git-update-via-git-config-manipulation/68081 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •

CVSS: 6.0EPSS: 0%CPEs: 1EXPL: 0

go-retryablehttp prior to 0.7.7 did not sanitize urls when writing them to its log file. This could lead to go-retryablehttp writing sensitive HTTP basic auth credentials to its log file. This vulnerability, CVE-2024-6104, was fixed in go-retryablehttp 0.7.7. A vulnerability was found in go-retryablehttp. The package may suffer from a lack of input sanitization by not cleaning up URL data when writing to the logs. • https://discuss.hashicorp.com/c/security https://access.redhat.com/security/cve/CVE-2024-6104 https://bugzilla.redhat.com/show_bug.cgi?id=2294000 • CWE-532: Insertion of Sensitive Information into Log File •

CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0

HashiCorp’s go-getter library is vulnerable to argument injection when executing Git to discover remote branches. This vulnerability does not affect the go-getter/v2 branch and package. La librería de HashiCorp es vulnerable a la inyección de argumentos al ejecutar Git para descubrir ramas remotas. Esta vulnerabilidad no afecta a la rama ni al paquete go-getter/v2. • https://discuss.hashicorp.com/t/hcsec-2024-09-hashicorp-go-getter-vulnerable-to-argument-injection-when-fetching-remote-default-git-branches/66040 • CWE-88: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') •