CVE-2023-49569

{"id": "CVE-2023-49569", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "cve-requests@bitdefender.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2024-01-12T11:15:13.250", "references": [{"url": "https://github.com/go-git/go-git/security/advisories/GHSA-449p-3h89-pw88", "tags": ["Vendor Advisory"], "source": "cve-requests@bitdefender.com"}, {"url": "https://github.com/go-git/go-git/security/advisories/GHSA-449p-3h89-pw88", "tags": ["Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "cve-requests@bitdefender.com", "description": [{"lang": "en", "value": "CWE-22"}]}], "descriptions": [{"lang": "en", "value": "A path traversal vulnerability was discovered in go-git versions prior to v5.11. This vulnerability allows an attacker to create and amend files across the filesystem. In the worse case scenario, remote code execution could be achieved.\n\nApplications are only affected if they are using the ChrootOS https://pkg.go.dev/github.com/go-git/go-billy/v5/osfs#ChrootOS , which is the default when using \"Plain\" versions of Open and Clone funcs (e.g. PlainClone). Applications using BoundOS https://pkg.go.dev/github.com/go-git/go-billy/v5/osfs#BoundOS \u00a0or in-memory filesystems are not affected by this issue.\nThis is a go-git\u00a0implementation issue and does not affect the upstream git\u00a0cli.\n\n\n"}, {"lang": "es", "value": "Se descubri\u00f3 una vulnerabilidad de path traversal en versiones de go-git anteriores a la v5.11. Esta vulnerabilidad permite a un atacante crear y modificar archivos en todo el sistema de archivos. En el peor de los casos, se podr\u00eda lograr la ejecuci\u00f3n remota de c\u00f3digo. Las aplicaciones solo se ven afectadas si usan ChrootOS https://pkg.go.dev/github.com/go-git/go-billy/v5/osfs#ChrootOS, que es el valor predeterminado cuando se usan versiones \"simples\" de Open y funciones de clonaci\u00f3n (por ejemplo, PlainClone). Las aplicaciones que utilizan BoundOS https://pkg.go.dev/github.com/go-git/go-billy/v5/osfs#BoundOS o sistemas de archivos en memoria no se ven afectados por este problema. Este es un problema de implementaci\u00f3n de go-git y no afecta el cli de git ascendente."}], "lastModified": "2024-11-21T08:33:34.583", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:go-git_project:go-git:*:*:*:*:*:go:*:*", "vulnerable": true, "matchCriteriaId": "61C9245F-61A4-4756-83B1-13CE56E28FF0", "versionEndExcluding": "5.11.0", "versionStartIncluding": "4.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "cve-requests@bitdefender.com"}