Skip to main content
Version: latest

CVE-2023-49569

CVE Details

Visit the official vulnerability details page for CVE-2023-49569 to learn more.

Initial Publication

01/27/2025

Last Update

02/21/2025

Third Party Dependency

gopkg.in/src-d/go-git.v4

NIST CVE Summary

A path traversal vulnerability was discovered in go-git versions prior to v5.11. This vulnerability allows an attacker to create and amend files across the filesystem. In the worse case scenario, remote code execution could be achieved.

Applications are only affected if they are using the ChrootOS https://pkg.go.dev/github.com/go-git/go-billy/v5/osfs#ChrootOS , which is the default when using "Plain" versions of Open and Clone funcs (e.g. PlainClone). Applications using BoundOS https://pkg.go.dev/github.com/go-git/go-billy/v5/osfs#BoundOS  or in-memory filesystems are not affected by this issue. This is a go-git implementation issue and does not affect the upstream git cli.

CVE Severity

9.8

Our Official Summary

This problem only affects the go implementation and not the original git cli code. Applications using BoundOS or in-memory filesystems are not affected by this issue. Clients should be limited to connect to only trusted git servers to reduce the risk of compromise.

A upstream fix for the 3rd party images is awaited. Will adopt the fixed version once it becomes available.

Status

Ongoing

Affected Products & Versions

VersionPalette EnterprisePalette Enterprise AirgapVerteXVerteX Airgap
4.6.7⚠️ Impacted✅ No Impact✅ No Impact✅ No Impact
4.6.6⚠️ Impacted✅ No Impact✅ No Impact✅ No Impact
4.5.22⚠️ Impacted✅ No Impact✅ No Impact✅ No Impact
4.5.21⚠️ Impacted✅ No Impact✅ No Impact✅ No Impact
4.5.20⚠️ Impacted✅ No Impact✅ No Impact✅ No Impact

Revision History

DateRevision
02/21/2025Impacted versions changed from 4.5.20, 4.5.21, 4.5.22, 4.6.6 to 4.5.20, 4.5.21, 4.5.22, 4.6.6, 4.6.7
02/17/2025Impacted versions changed from 4.5.20, 4.5.21, 4.5.22 to 4.5.20, 4.5.21, 4.5.22, 4.6.6
02/14/2025Impacted versions changed from 4.5.20, 4.5.21 to 4.5.20, 4.5.21, 4.5.22
02/12/2025Status changed from Open to Ongoing
02/12/2025Official summary added
02/05/2025Impacted versions changed from 4.5.20 to 4.5.20, 4.5.21