Upgrade go-git to > v.5.11

Question

Upgrade go-git to > v.5.11

davidsonff opened this issue 9 months ago · 3 comments

go-git v4 is vulnerable to CVE-2023049569/CWE-22 - Path Traversal. Upgrading to v5.11 and above to mitigate this vulnerability.

Answer 1 · 2024-01-11T20:47:49.000Z

Overview
Affected versions of this package are vulnerable to Path Traversal via malicious server replies. An attacker can create and amend files across the filesystem and potentially achieve remote code execution by sending crafted responses to the client.

Notes:

This is only exploitable if the client is using ChrootOS, which is the default for certain functions such as PlainClone.

Applications using BoundOS or in-memory filesystems are not affected by this issue.

Users running versions of go-git from v4 and above are recommended to upgrade to v5.11 in order to mitigate this vulnerability.

Answer 2 · 2024-01-17T17:23:35.000Z

Submitted #435

Answer 3 · 2024-01-30T22:42:35.000Z

Thanks for the PR @davidsonff !

This issue is now fixed in release v1.15.0