Impact
An argument injection vulnerability was discovered in go-git versions prior to v5.13.
Successful exploitation of this vulnerability could allow an attacker to set arbitrary values to git-upload-pack flags. This only happens when the file transport protocol is being used, as that is the only protocol that shells out to git binaries.
Affected versions
Users running versions of go-git from v4 and above are recommended to upgrade to v5.13 in order to mitigate this vulnerability.
Workarounds
In cases where a bump to the latest version of go-git is not possible, we recommend users to enforce restrict validation rules for values passed in the URL field.
Credit
Thanks to @vin01 for responsibly disclosing this vulnerability to us.
Impact
An argument injection vulnerability was discovered in
go-gitversions prior tov5.13.Successful exploitation of this vulnerability could allow an attacker to set arbitrary values to git-upload-pack flags. This only happens when the
filetransport protocol is being used, as that is the only protocol that shells out togitbinaries.Affected versions
Users running versions of
go-gitfromv4and above are recommended to upgrade tov5.13in order to mitigate this vulnerability.Workarounds
In cases where a bump to the latest version of
go-gitis not possible, we recommend users to enforce restrict validation rules for values passed in the URL field.Credit
Thanks to @vin01 for responsibly disclosing this vulnerability to us.