VDB
KO
CRITICAL 9.8

GHSA-v725-9546-7q7m

go-git has an Argument Injection via the URL field

Details

### Impact An argument injection vulnerability was discovered in `go-git` versions prior to `v5.13`.

Successful exploitation of this vulnerability could allow an attacker to set arbitrary values to [git-upload-pack flags](https://git-scm.com/docs/git-upload-pack). This only happens when the `file` transport protocol is being used, as that is the only protocol that shells out to `git` binaries.

### Affected versions Users running versions of `go-git` from `v4` and above are recommended to upgrade to `v5.13` in order to mitigate this vulnerability.

### Workarounds In cases where a bump to the latest version of `go-git` is not possible, we recommend users to enforce restrict validation rules for values passed in the URL field.

## Credit Thanks to @vin01 for responsibly disclosing this vulnerability to us.

Are you affected?

Enter the version of the package you're using.

Affected packages

Go / gopkg.in/src-d/go-git.v4
Introduced in: 4.0.0

No fixed version published yet for gopkg.in/src-d/go-git.v4 (go modules). Pin to a known-safe version or switch to an alternative.

Go / github.com/go-git/go-git/v5
Introduced in: 0 Fixed in: 5.13.0
Fix go get github.com/go-git/go-git/v5@v5.13.0

References