CVE-2024-3817

HashiCorp go-getter Vulnerable to Argument Injection When Fetching Remote Default Git Branches

Severity Score

9.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

HashiCorp’s go-getter library is vulnerable to argument injection when executing Git to discover remote branches.

This vulnerability does not affect the go-getter/v2 branch and package.

La librería de HashiCorp es vulnerable a la inyección de argumentos al ejecutar Git para descubrir ramas remotas. Esta vulnerabilidad no afecta a la rama ni al paquete go-getter/v2.

*Credits: N/A

CVSS Scores

HashiCorp Inc.v3.1 9.8

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-04-15 CVE Reserved
2024-04-17 CVE Published
2024-04-18 EPSS Updated
2024-08-01 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-88: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')

CAPEC

CAPEC-248: Command Injection

References (1)

URL	Tag	Source
https://discuss.hashicorp.com/t/hcsec-2024-09-hashicorp-go-getter-vulnerable-to-argument-injection-when-fetching-remote-default-git-branches/66040

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
HashiCorp Search vendor "HashiCorp"		Shared Library Search vendor "HashiCorp" for product "Shared Library"				>= 1.5.9 < 1.7.3 Search vendor "HashiCorp" for product "Shared Library" and version " >= 1.5.9 < 1.7.3"		en		Affected