Main Vulnerability Database Vulnerabilities #VU85583

Path traversal in go-git - CVE-2023-49569

Published: January 18, 2024

Vulnerability identifier: #VU85583

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2023-49569

CWE-ID: CWE-22

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: go-git

Affected software:
go-git

Detailed vulnerability description

The vulnerability allows a remote attacker to perform directory traversal attacks.

The vulnerability exists due to input validation error when processing directory traversal sequences. A remote attacker can overwrite arbitrary files on the system. Applications are only affected if they are using the ChrootOS, which is the default when using "Plain" versions of Open and Clone funcs (e.g. PlainClone).

How to mitigate CVE-2023-49569

Install update from vendor's website.

Sources

https://github.com/go-git/go-git/security/advisories/GHSA-449p-3h89-pw88

Path traversal in go-git - CVE-2023-49569

Detailed vulnerability description

How to mitigate CVE-2023-49569

Sources

Please verify you're human