A path traversal vulnerability was discovered in go-git versions prior to v5.11. This vulnerability allows an attacker to create and amend files across the filesystem. In the worse case scenario, remote code execution could be achieved. Applications are only affected if they are using the ChrootOS https://pkg.go.dev/github.com/go-git/go-billy/v5/osfs#ChrootOS , which is the default when using "Plain" versions of Open and Clone funcs (e.g. PlainClone). Applications using BoundOS https://pkg.go.dev/github.com/go-git/go-billy/v5/osfs#BoundOS  or in-memory filesystems are not affected by this issue. This is a go-git implementation issue and does not affect the upstream git cli.
History

Thu, 14 Nov 2024 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Thu, 31 Oct 2024 19:30:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:openshift:4.15::el9

Fri, 06 Sep 2024 14:00:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:openshift_builds:1.1::el9

cve-icon MITRE

Status: PUBLISHED

Assigner: Bitdefender

Published: 2024-01-12T10:41:00.201Z

Updated: 2024-11-14T14:34:02.845Z

Reserved: 2023-11-27T14:21:51.157Z

Link: CVE-2023-49569

cve-icon Vulnrichment

Updated: 2024-08-02T22:01:25.499Z

cve-icon NVD

Status : Modified

Published: 2024-01-12T11:15:13.250

Modified: 2024-11-21T08:33:34.583

Link: CVE-2023-49569

cve-icon Redhat

Severity : Critical

Publid Date: 2024-01-09T00:00:00Z

Links: CVE-2023-49569 - Bugzilla