HashiCorp Vulnerability in go-getter Library - 20240422001

Overview

HashiCorp has released a security advisory to address a vulnerability within its widely used go-getter library. The vulnerability could allow attackers to inject malicious code during Git operations, potentially leading to the compromise of systems using the affected library.

What is vulnerable?

CVE	Severity	CVSS	Product(s) Affected
CVE-2024-3817	Critical	9.8	HashiCorp Shared library - go-getter version 1.5.9 through 1.7.3 for 64 bit, 32 bit, x86, ARM, MacOS, Windows, Linux

Recommendation

The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframe (refer Patch Management):

Additional References

• HashiCorp’s go-getter library vulnerability(nvd.nist.gov)
• HashiCorp go-getter Vulnerable to Argument Injection When Fetching Remote Default Git Branches (hashicorp.com)
• HashiCorp’s go-getter library (tenable.com)