CVE-2024-3817
📋 TL;DR
HashiCorp's go-getter library is vulnerable to argument injection when executing Git commands to discover remote branches. This allows attackers to inject arbitrary arguments into Git commands, potentially leading to remote code execution. Affected users are those using go-getter v1 (not v2) to fetch Git repositories with untrusted input.
💻 Affected Systems
- HashiCorp go-getter
📦 What is this software?
Go Getter by Hashicorp
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution with the privileges of the process running go-getter, potentially leading to full system compromise.
Likely Case
Arbitrary command execution on the server, allowing data theft, lateral movement, or deployment of malware.
If Mitigated
Limited impact if running with minimal privileges, network segmentation, and input validation controls.
🎯 Exploit Status
Exploitation requires the ability to control Git repository URLs or branch names processed by go-getter.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Update to go-getter/v2 (which is not vulnerable) or apply vendor patches for v1 if available
Vendor Advisory: https://discuss.hashicorp.com/t/hcsec-2024-09-hashicorp-go-getter-vulnerable-to-argument-injection-when-fetching-remote-default-git-branches/66040
Restart Required: Yes
Instructions:
1. Review the vendor advisory. 2. Migrate to go-getter/v2 if possible. 3. If staying on v1, apply any available patches. 4. Update dependencies and restart affected services.
🔧 Temporary Workarounds
Input Validation and Sanitization
allValidate and sanitize all user-provided Git URLs and branch names before passing to go-getter.
Network Restrictions
allRestrict go-getter to only fetch from trusted Git repositories using allowlists.
🧯 If You Can't Patch
- Implement strict input validation for all Git URLs and branch names
- Run go-getter processes with minimal privileges and in isolated environments
🔍 How to Verify
Check if Vulnerable:
Check if your application imports go-getter v1 (not v2) and uses it to fetch Git repositories.Check Version:
Check your Go module dependencies (go.mod) for go-getter versionVerify Fix Applied:
Verify that go-getter/v2 is being used or that v1 has been updated to a patched version, and test with controlled inputs.📡 Detection & Monitoring
Log Indicators:
- Unusual Git command arguments in application logs
- Failed Git operations with suspicious parameters
Network Indicators:
- Unexpected outbound connections from go-getter processes
- Git protocol traffic to untrusted sources
SIEM Query:
Search for process executions with git command containing unusual arguments from go-getter processes