A denial of service (DoS) vulnerability (CVE-2023-49568) has been identified in go-git versions prior to v5.11. If left unpatched, this vulnerability can enable attackers to conduct denial of service attacks by sending maliciously crafted responses from a Git server. As a result, impacted go-git clients may experience resource exhaustion. Notably, applications utilizing the in-memory filesystem supported by go-git remain unaffected by this vulnerability. It is also important to note that this is a go-git implementation issue and does not impact the upstream git CLI.
Exploit Details
The vulnerability exists within the go-git implementation, wherein specially crafted responses from a Git server can trigger resource exhaustion on go-git clients. These crafted responses can be sent remotely by attackers, causing resource consumption to skyrocket and eventually lead to a denial of service (DoS) attack.
Affected Versions
This vulnerability affects go-git versions prior to v5.11.
Here is an example of a code snippet that might be impacted by this vulnerability
package main
import (
"fmt"
"log"
"os"
git "github.com/go-git/go-git/v5"
)
func main() {
repository, err := git.PlainClone("/tmp/example-repo", false, &git.CloneOptions{
URL: "https://github.com/example/example-repo";,
Progress: os.Stdout,
})
if err != nil {
log.Fatal(err)
}
fmt.Println(repository)
}
To protect your application from this vulnerability, it is essential to upgrade to the latest version of go-git (v5.11 or later).
How to Fix
To fix this vulnerability, promptly update your go-git dependency to the latest version (v5.11 or later) by modifying your go.mod file:
require github.com/go-git/go-git/v5 v5.11.
After updating the dependency, run
go mod tidy
to ensure that the latest version is being used in your project.
Original References
- CVE-2023-49568 - NVD
- go-git Repository on GitHub
- Changelog for v5.11
Conclusion
In conclusion, it is crucial to address this denial of service vulnerability (CVE-2023-49568) in go-git versions prior to v5.11. By sending specially crafted responses from a Git server, an attacker can perform denial of service attacks and trigger resource exhaustion in go-git clients. To prevent potential exploitation, ensure your go-git dependency is updated to the latest version (v5.11 or later).
Timeline
Published on: 01/12/2024 11:15:12 UTC
Last modified on: 01/22/2024 17:57:41 UTC