HashiCorp Patches Critical CVE-2024-3817 Vulnerability in go-getter Library
HashiCorp has issued an urgent security advisory regarding a critical vulnerability (CVE-2024-3817) within its widely used go-getter library. The vulnerability could allow attackers to inject malicious code during Git operations, potentially leading to the compromise of systems using the affected library.
What is go-getter?
HashiCorp‘s go-getter is a popular library for developers using the Go programming language. It streamlines the process of downloading files and directories from a variety of sources, including file systems, Git repositories, HTTP, and others.
The Vulnerability Explained
The vulnerability (CVSS score 9.8) stems from how go-getter handles Git URLs. When fetching the default branch of a remote Git repository, go-getter may execute the Git command with user-controllable arguments. This opens the possibility for attackers to inject malicious code into the Git command, potentially allowing them to gain remote control of affected systems.
“If a Git reference is not passed along with the Git url, go-getter will then try to check the remote repository’s HEAD reference of its default branch by passing arguments to the Git binary on the host it is executing on,” HashiCorp wrote on its security advisory.
“An attacker may format a Git URL in order to inject additional Git arguments to the Git call.”
Affected Versions
The CVE-2024-3817 vulnerability is present in go-getter versions 1.5.9 through 1.7.3. Users are strongly advised to upgrade to version 1.7.4 or later, which includes a fix for this critical issue.
Who is at Risk?
Any application or system using a vulnerable version of the go-getter library for Git operations could be susceptible to this exploit. Developers and system administrators need to assess their projects’ dependencies diligently to identify and address this vulnerability.
Recommendations
HashiCorp urges the following immediate actions:
- Upgrade: Upgrade the go-getter library to version 1.7.4 or later as soon as possible.
- Monitor Advisories: Stay updated on the latest HashiCorp security advisories for any additional information or mitigation strategies.
