CVE-2024-3817
Publication date 17 April 2024
Last updated 4 August 2025
Ubuntu priority
Description
HashiCorp’s go-getter library is vulnerable to argument injection when executing Git to discover remote branches. This vulnerability does not affect the go-getter/v2 branch and package.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| golang-github-jesseduffield-go-getter | 25.10 questing | Not in release |
| 24.04 LTS noble |
Vulnerable
|
|
| 22.04 LTS jammy |
Vulnerable
|
|
| 20.04 LTS focal |
Vulnerable
|
|
| golang-github-hashicorp-go-getter | 25.10 questing |
Vulnerable
|
| 24.04 LTS noble |
Vulnerable
|
|
| 22.04 LTS jammy |
Vulnerable
|
|
| 20.04 LTS focal |
Vulnerable
|
|
| 18.04 LTS bionic |
Vulnerable
|
Notes
allenpthuang
upstream says affected versions are >=1.5.9, but affected code seems to be there in 1.4.1 and below. `golang-github-jesseduffield-go-getter` is a fork at 906e156.
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
9.8 · Critical
|
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity impact | High |
| Availability impact | High |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
References
Other references
- https://www.cve.org/CVERecord?id=CVE-2024-3817
- https://discuss.hashicorp.com/t/hcsec-2024-09-hashicorp-go-getter-vulnerable-to-argument-injection-when-fetching-remote-default-git-branches/66040
- https://github.com/advisories/GHSA-q64h-39hv-4cf7
- https://github.com/hashicorp/go-getter/commit/268c11cae8cf0d9374783e06572679796abe9ce9