security: CVE-2023-49569 - go-git/v5

Question

security: CVE-2023-49569 - go-git/v5

cmontemuino opened this issue 8 months ago · 2 comments

We've observed version 3.11.6 includes critical vulnerability CVE-2023-49569 in package github.com/go-git/go-git/v5.

Root cause is in go.mod file:

// TODO: once https://github.com/go-git/go-git/pull/416 is merged, this can be
// removed and we can use the upstream module. This commit on my fork is a
// cherry-pick from the PR on top of v5.10.0
replace github.com/go-git/go-git/v5 => github.com/hairyhenderson/go-git/v5 v5.0.0-20231120010526-e49f9324b2fc

require (
	github.com/go-git/go-billy/v5 v5.5.0
	github.com/go-git/go-git/v5 v5.10.0
)

Version v5.11.0 has been published already, so it should be an easy fix.

Answer 1 · 2024-01-12T11:28:45.000Z

Fix: #1961

Answer 2 · 2024-01-12T13:51:06.000Z

so it should be an easy fix.

Not quite - the fork needs to be updated first.

This particular vulnerability is not applicable to gomplate's use of go-git, as gomplate only uses the in-memory filesystem when communicating with remote git servers:

Applications using BoundOS or in-memory filesystems are not affected by this issue.

I will take care of this, but for the time being you can safely instruct your scanner ignore this vulnerability.