CVE-2024-6257

Name	CVE-2024-6257
Description	HashiCorp’s go-getter library can be coerced into executing Git update on an existing maliciously modified Git Configuration, potentially leading to arbitrary code execution.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs	1075823

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
golang-github-hashicorp-go-getter (PTS)	buster, stretch	0.0~git20160316.0.575ec4e-1	vulnerable
	sid, bullseye, bookworm	1.4.1-1	vulnerable

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Debian Bugs
golang-github-hashicorp-go-getter	source	stretch	(unfixed)	end-of-life
golang-github-hashicorp-go-getter	source	buster	(unfixed)	end-of-life
golang-github-hashicorp-go-getter	source	(unstable)	(unfixed)		1075823

Notes

[bookworm] - golang-github-hashicorp-go-getter <no-dsa> (Minor issue)
[bullseye] - golang-github-hashicorp-go-getter <no-dsa> (Minor issue)
https://discuss.hashicorp.com/t/hcsec-2024-13-hashicorp-go-getter-vulnerable-to-code-execution-on-git-update-via-git-config-manipulation/68081