HCSEC-2024-13

**Bulletin ID:** HCSEC-2024-13 **Affected Products / Versions:** go-getter up to 1.7.4; fixed in go-getter 1.7.5. **Publication Date:** June 24, 2024 **Summary** HashiCorp’s go-getter library can be coerced into executing Git update on an existing maliciously modified Git Configuration, potentially leading to arbitrary code execution. This vulnerability, CVE-2024-6257, was fixed in go-getter 1.7.5. **Background** HashiCorp’s [go-getter](https://github.com/hashicorp/go-getter) is a library for Go for downloading files or directories from various sources using a URL as the primary form of input. **Details** When go-getter is performing a Git operation, go-getter will try to clone the given repository in a specified destination. Cloning initializes a git config to the provided destination and if the repository needs to get updated go-getter will pull the new changes . An attacker may alter the Git config after the cloning step to set an arbitrary Git configuration to achieve code execution. **Remediation** Consumers of the go-getter library should evaluate the risk associated with these issues in the context of their go-getter usage and upgrade go-getter to 1.7.5 or later. The latest go-getter releases can be found at [https://github.com/hashicorp/go-getter/releases](https://github.com/hashicorp/go-getter/releases). **Acknowledgement** This issue was identified by Kraken Security Labs. *We deeply appreciate any effort to coordinate disclosure of security vulnerabilities. For information about security at HashiCorp and the reporting of security vulnerabilities, please see [https://hashicorp.com/security](https://hashicorp.com/security).*