Critical vulnerability in github.com/hashicorp/go-getter: CVE-2024-3817
Closed this issue · 2 comments
elchenberg commented
There is a critical vulnerability in github.com/hashicorp/go-getter:
- https://github.com/open-policy-agent/conftest/blob/v0.51.0/go.mod#L16
- https://nvd.nist.gov/vuln/detail/CVE-2024-3817
- https://discuss.hashicorp.com/t/hcsec-2024-09-hashicorp-go-getter-vulnerable-to-argument-injection-when-fetching-remote-default-git-branches/66040
I guess dependabot will bump it to the fixed version 1.7.4 eventually.