CRITICAL🇵🇱 Wersja polska

CVE-2023-49569

CVSS 9.8v3.1pub. 2024-01-12upd. 2024-11-21

A path traversal vulnerability was discovered in go-git versions prior to v5.11. This vulnerability allows an attacker to create and amend files across the filesystem. In the worse case scenario, remote code execution could be achieved. Applications are only affected if they are using the ChrootOS https://pkg.go.dev/github.com/go-git/go-billy/v5/osfs#ChrootOS , which is the default when using "Plain" versions of Open and Clone funcs (e.g. PlainClone). Applications using BoundOS https://pkg.go.dev/github.com/go-git/go-billy/v5/osfs#BoundOS  or in-memory filesystems are not affected by this issue. This is a go-git implementation issue and does not affect the upstream git cli.

🤖 AI Analysis
How it works

The vulnerability affects the ChrootOS filesystem implementation in the go-git library, which is the default directory isolation mechanism when using 'Plain' functions such as PlainClone or PlainOpen. An attacker can construct a specially crafted Git repository containing file paths that traverse outside the designated chroot directory, enabling file writes anywhere on the filesystem. This is a bug in the go-git implementation and does not affect the native git CLI client.

Impact

An attacker can create and overwrite arbitrary files on the server or client filesystem, which can consequently lead to remote code execution (RCE). The confidentiality, integrity, and availability of the system are at risk.

Mitigation & patch

The go-git library should be updated to version v5.11 or later. As a temporary workaround, ChrootOS usage can be replaced with a BoundOS implementation or in-memory filesystem, which are not vulnerable to this issue.

Who is affected

Go-Git (go-git project) in all versions prior to v5.11. The vulnerability affects only applications using ChrootOS (default with PlainClone, PlainOpen, etc. functions). Applications using BoundOS or in-memory filesystems are not vulnerable.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Go Git Project Go Git

    APP
    Go-Git Project
    4.0.0 – 5.11.0 (bez)
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCEPath Traversal
CWE
References

Related vulnerabilities

CVE-2025-21613CRITICAL9.2PL ✓ten sam produkt

Argument injection w bibliotece go-git — dowolne flagi git-upload-pack

CVE-2026-45022HIGH7.0ten sam produkt

go-git is an extensible git implementation library written in pure Go. Prior to 5.19.0 and 6.0.0-alpha.3, go-g...

CVE-2025-21614HIGH7.5ten sam produkt

go-git is a highly extensible git implementation library written in pure Go. A denial of service (DoS) vulnera...

CVE-2023-49568HIGH7.5ten sam produkt

A denial of service (DoS) vulnerability was discovered in go-git versions prior to v5.11. This vulnerability a...

CVE-2026-45571MEDIUM5.4ten sam produkt

go-git is an extensible git implementation library written in pure Go. Prior to 5.19.1 and 6.0.0-alpha.4, a pa...