CVE-2024-6257

EUVD-2024-2209
HashiCorp’s go-getter library can be coerced into executing Git update on an existing maliciously modified Git Configuration, potentially leading to arbitrary code execution.
Command Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
8.4 HIGH
NETWORK
LOW
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 60%
Affected Products (NVD)
VendorProductVersion
hashicorpgo-getter
𝑥
< 1.7.5
𝑥
= Vulnerable software versions
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
VendorProductVersionSource
hashicorpshared_library
𝑥
< 1.7.4
ADP
Debian logo
Debian Releases
Debian Product
Codename
golang-github-hashicorp-go-getter
bookworm
no-dsa
bullseye
no-dsa
sid
vulnerable
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
golang-github-hashicorp-go-getter
bionic
needed
focal
needed
jammy
needed
mantic
ignored
noble
needed
oracular
ignored
plucky
needed
questing
needed
golang-github-jesseduffield-go-getter
focal
needed
jammy
needed
mantic
ignored
noble
needed
oracular
ignored
plucky
dne
questing
dne
Common Weakness Enumeration
References
https://discuss.hashicorp.com/t/hcsec-2024-13-hashicorp-go-getter-vulnerable-to-code-execution-on-git-update-via-git-config-manipulation/68081
https://discuss.hashicorp.com/t/hcsec-2024-13-hashicorp-go-getter-vulnerable-to-code-execution-on-git-update-via-git-config-manipulation/68081