Overview
CVE-2023-49569 is a critical path traversal vulnerability discovered in go-git, a pure Go implementation of Git. This vulnerability allows attackers to create or modify files across the filesystem, potentially leading to remote code execution (RCE) in applications using go-git under specific configurations.
The issue arises when applications utilize the ChrootOS filesystem, which is the default when using “Plain” versions of the Open and Clone functions (e.g., PlainClone). Applications using BoundOS or in-memory filesystems are not affected. Notably, this vulnerability does not impact the upstream Git CLI.
Vulnerability Summary
| Field | Detail |
|---|---|
| CVE ID | CVE-2023-49569 |
| Severity | Critical (CVSS v3.1 Score: 9.8) |
| Attack Vector | Network |
| Privileges Required | None |
| User Interaction | None |
| Impact | Remote Code Execution |
| Affected Component | go-git (ChrootOS filesystem) |
Affected Products
| Product | Affected Versions |
|---|---|
| go-git | v4.0.0 to v5.10.x |
Applications using go-git with the default ChrootOS filesystem are susceptible. Those using BoundOS or in-memory filesystems are not affected.
How the Exploit Works
The vulnerability stems from improper sanitization of file paths in go-git’s ChrootOS filesystem. An attacker can craft malicious Git server responses containing path traversal sequences (e.g., ../) to write files outside the intended directory.
In the worst-case scenario, this could allow an attacker to overwrite critical system files or place malicious executables, leading to remote code execution when these files are executed by the system or application.
No phone number, email, or personal info required.
Conceptual Exploit Example
An attacker sets up a malicious Git server that, during a clone operation, responds with crafted paths designed to traverse directories.
For instance, a malicious .git repository could contain a file with a path like:
bashCopyEdit
../../../../../../etc/cron.d/malicious_job
When an application using go-git with ChrootOS clones this repository, it writes the file to /etc/cron.d/malicious_job, potentially scheduling a malicious cron job.
Recommendations for Mitigation
To mitigate the risks associated with CVE-2023-49569:
- Upgrade go-git: Update to version v5.11.0 or later, where this vulnerability has been addressed.
- Use Safer Filesystems: If upgrading is not immediately feasible, consider switching from
ChrootOStoBoundOSor an in-memory filesystem, which are not affected by this issue. - Restrict Git Server Access: Limit cloning operations to trusted Git servers to reduce exposure to malicious repositories.
- Validate Repository Contents: Implement additional checks to validate file paths and contents when cloning repositories, ensuring they do not escape intended directories.
Timeline and Response
- Reported: January 9, 2024
- Patched Release: go-git v5.11.0
- Public Disclosure: January 12, 2024
Closing Thoughts
CVE-2023-49569 highlights the importance of proper input validation and filesystem handling in applications interacting with external sources. Developers using go-git should promptly update to the latest version and review their usage of filesystem abstractions to ensure security best practices are followed.