CVE-2023-49568

Maliciously crafted Git server replies can cause DoS on go-git clients

Severity Score

7.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

A denial of service (DoS) vulnerability was discovered in go-git versions prior to v5.11. This vulnerability allows an attacker to perform denial of service attacks by providing specially crafted responses from a Git server which triggers resource exhaustion in go-git clients.

Applications using only the in-memory filesystem supported by go-git are not affected by this vulnerability.
This is a go-git implementation issue and does not affect the upstream git cli.

Se descubrió una vulnerabilidad de denegación de servicio (DoS) en versiones de go-git anteriores a la v5.11. Esta vulnerabilidad permite a un atacante realizar ataques de denegación de servicio proporcionando respuestas especialmente manipuladas desde un servidor Git que provoca el agotamiento de los recursos en los clientes go-git. Las aplicaciones que utilizan únicamente el sistema de archivos en memoria compatible con go-git no se ven afectadas por esta vulnerabilidad. Este es un problema de implementación de go-git y no afecta el cli de git ascendente.

A denial of service (DoS) vulnerability was found in the go library go-git. This issue may allow an attacker to perform denial of service attacks by providing specially crafted responses from a Git server, which can trigger resource exhaustion in go-git clients.

*Credits: Ionuț Lalu

CVSS Scores

NISTv3.1 7.5

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2023-11-27 CVE Reserved
2024-01-12 CVE Published
2024-01-23 EPSS Updated
2024-08-02 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-20: Improper Input Validation
CWE-400: Uncontrolled Resource Consumption

CAPEC

CAPEC-130: Excessive Allocation

References (3)

URL	Tag	Source

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://github.com/go-git/go-git/security/advisories/GHSA-mw99-9chc-xw7r	2024-01-22
https://access.redhat.com/security/cve/CVE-2023-49568	2024-06-26
https://bugzilla.redhat.com/show_bug.cgi?id=2258165	2024-06-26

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Go-git Project Search vendor "Go-git Project"		Go-git Search vendor "Go-git Project" for product "Go-git"				>= 4.0.0 < 5.11.0 Search vendor "Go-git Project" for product "Go-git" and version " >= 4.0.0 < 5.11.0"		go		Affected