CVE-2023-49569

CRITICAL

go-git < 5.11.0 - Path Traversal and Remote Code Execution via ChrootOS Filesystem

Title source: llm

Description

A path traversal vulnerability was discovered in go-git versions prior to v5.11. This vulnerability allows an attacker to create and amend files across the filesystem. In the worse case scenario, remote code execution could be achieved. Applications are only affected if they are using the ChrootOS https://pkg.go.dev/github.com/go-git/go-billy/v5/osfs#ChrootOS , which is the default when using "Plain" versions of Open and Clone funcs (e.g. PlainClone). Applications using BoundOS https://pkg.go.dev/github.com/go-git/go-billy/v5/osfs#BoundOS or in-memory filesystems are not affected by this issue. This is a go-git implementation issue and does not affect the upstream git cli.

References (1)

Core 1

Core References

Vendor Advisory

https://github.com/go-git/go-git/security/advisories/GHSA-449p-3h89-pw88

Scores

CVSS v3 9.8

EPSS 0.0152

EPSS Percentile 71.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

CWE

CWE-22

Status published

Products (3)

go-git/go-git 5.0.0 - 5.11.0Go

go-git_project/go-git 4.0.0 - 5.11.0

src-d/go-git.v4 4.0.0Go

Published Jan 12, 2024

Tracked Since Feb 18, 2026