SB2026042364 - Ubuntu update for golang-github-go-git-go-git

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2026042364

SB2026042364 - Ubuntu update for golang-github-go-git-go-git

Published: April 23, 2026

Security Bulletin ID SB2026042364
Severity
Medium
Patch available
YES
Number of vulnerabilities 5
Exploitation vector Remote access
Highest impact Denial of service

Breakdown by Severity

Medium 40% Low 60%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 5 secuirty vulnerabilities.


1) Resource exhaustion (CVE-ID: CVE-2023-49568)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources when handling responses from a Git server. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.


2) Resource exhaustion (CVE-ID: CVE-2025-21614)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources when handling responses from a malicious Git server. A remote attacker can trick the victim into connecting to a malicious Git server and perform a denial of service (DoS) attack.


3) Path traversal (CVE-ID: CVE-2023-49569)

The vulnerability allows a remote attacker to perform directory traversal attacks.

The vulnerability exists due to input validation error when processing directory traversal sequences. A remote attacker can overwrite arbitrary files on the system. Applications are only affected if they are using the ChrootOS, which is the default when using "Plain" versions of Open and Clone funcs (e.g. PlainClone).


4) Improper neutralization of argument delimiters in a command (CVE-ID: CVE-2025-21613)

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to improper input validation when handling URL field in arguments passed to the git-upload-pack command. A remote attacker can trick the victim into passing a specially crafted URL as a flag to the affected command and manipulate arguments for the git-upload-pack command, which can result in information disclosure.


5) Improper validation of integrity check value (CVE-ID: CVE-2026-25934)

The vulnerability allows a remote attacker to cause integrity issues by supplying corrupted repository data.

The vulnerability exists due to improper validation of integrity check values in .pack and .idx file handling when processing fetched packfiles and generated pack indexes. A remote attacker can provide corrupted repository data to cause integrity issues by making the application consume corrupted files and trigger unexpected errors.

User interaction is required for a client to fetch and process repository data.


Remediation

Install update from vendor's website.

References