A denial of service (DoS) vulnerability (CVE-2023-49568) has been identified in go-git versions prior to v5.11. If left unpatched, this vulnerability can enable attackers to conduct denial of service attacks by sending maliciously crafted responses from a Git server. As a result, impacted go-git clients may experience resource exhaustion. Notably, applications utilizing the in-memory filesystem supported by go-git remain unaffected by this vulnerability. It is also important to note that this is a go-git implementation issue and does not impact the upstream git CLI.

Exploit Details

The vulnerability exists within the go-git implementation, wherein specially crafted responses from a Git server can trigger resource exhaustion on go-git clients. These crafted responses can be sent remotely by attackers, causing resource consumption to skyrocket and eventually lead to a denial of service (DoS) attack.

Affected Versions

This vulnerability affects go-git versions prior to v5.11.

Here is an example of a code snippet that might be impacted by this vulnerability

package main

import (
    "fmt"
    "log"
    "os"

    git "github.com/go-git/go-git/v5"
)

func main() {
    repository, err := git.PlainClone("/tmp/example-repo", false, &git.CloneOptions{
        URL:      "https://github.com/example/example-repo";,
        Progress: os.Stdout,
    })

    if err != nil {
        log.Fatal(err)
    }

    fmt.Println(repository)
}

To protect your application from this vulnerability, it is essential to upgrade to the latest version of go-git (v5.11 or later).

How to Fix

To fix this vulnerability, promptly update your go-git dependency to the latest version (v5.11 or later) by modifying your go.mod file:

require github.com/go-git/go-git/v5 v5.11.

After updating the dependency, run

go mod tidy

to ensure that the latest version is being used in your project.

Original References

- CVE-2023-49568 - NVD
- go-git Repository on GitHub
- Changelog for v5.11

Conclusion

In conclusion, it is crucial to address this denial of service vulnerability (CVE-2023-49568) in go-git versions prior to v5.11. By sending specially crafted responses from a Git server, an attacker can perform denial of service attacks and trigger resource exhaustion in go-git clients. To prevent potential exploitation, ensure your go-git dependency is updated to the latest version (v5.11 or later).

Timeline

Published on: 01/12/2024 11:15:12 UTC
Last modified on: 01/22/2024 17:57:41 UTC