CVE-2023-49569 – A path traversal vulnerability in go-git versio... (How to Fix)

📋 TL;DR

A path traversal vulnerability in go-git versions before v5.11 allows attackers to create and modify files anywhere on the filesystem when using ChrootOS filesystem. Applications using PlainClone or similar functions with default configurations are affected, potentially leading to remote code execution.

💻 Affected Systems

Products:

go-git library

Versions: All versions prior to v5.11

Operating Systems: All platforms running Go applications

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects applications using ChrootOS filesystem (default with PlainClone/PlainOpen). Applications using BoundOS or in-memory filesystems are not vulnerable.

📦 What is this software?

Go Git by Go Git Project

View all CVEs affecting Go Git →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution allowing complete system compromise

🟠

Likely Case

Unauthorized file creation/modification leading to data corruption or privilege escalation

🟢

If Mitigated

Limited to file system manipulation within controlled directories

🌐 Internet-Facing: HIGH - Exploitable remotely without authentication

🏢 Internal Only: HIGH - Internal systems using vulnerable versions remain at risk

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Path traversal vulnerabilities typically have low exploitation complexity. No public exploit code identified at advisory publication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v5.11.0

Vendor Advisory: https://github.com/go-git/go-git/security/advisories/GHSA-449p-3h89-pw88

Restart Required: No

Instructions:

1. Update go.mod to require github.com/go-git/go-git/v5 v5.11.0 or later
2. Run 'go mod tidy'
3. Rebuild and redeploy your application

🔧 Temporary Workarounds

Switch to BoundOS filesystem

all

Replace ChrootOS with BoundOS to restrict filesystem access

Modify code to use BoundOS instead of default ChrootOS when initializing filesystem

🧯 If You Can't Patch

Implement strict input validation on all git repository paths
Run application with minimal filesystem permissions using containerization or chroot

🔍 How to Verify

Check if Vulnerable:

Check go.mod for go-git dependency version below v5.11.0

Check Version:

grep 'github.com/go-git/go-git/v5' go.mod

Verify Fix Applied:

Confirm go.mod requires github.com/go-git/go-git/v5 v5.11.0 or later

📡 Detection & Monitoring

Log Indicators:

Unexpected file creation/modification outside expected git directories
Path traversal patterns in git operation logs

Network Indicators:

Unusual git protocol traffic patterns

SIEM Query:

Search for file system events with paths containing '../' patterns from git-related processes

📊 Metadata

CVE ID: CVE-2023-49569

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-22

Published: January 12, 2024

Last Updated: November 21, 2024

🔗 References

https://github.com/go-git/go-git/security/advisories/GHSA-449p-3h89-pw88 Vendor Advisory
https://github.com/go-git/go-git/security/advisories/GHSA-449p-3h89-pw88 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-49569, you might also want to check these: