{"id":"GO-2024-2456","summary":"Path traversal and RCE in github.com/go-git/go-git/v5 and gopkg.in/src-d/go-git.v4","details":"Path traversal and RCE in github.com/go-git/go-git/v5 and gopkg.in/src-d/go-git.v4","aliases":["CVE-2023-49569","GHSA-449p-3h89-pw88"],"modified":"2026-03-17T04:50:33.029720Z","published":"2024-01-23T15:29:09Z","related":["CGA-ghfj-54hg-3xgm"],"database_specific":{"review_status":"REVIEWED","url":"https://pkg.go.dev/vuln/GO-2024-2456"},"references":[{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-49569"}],"affected":[{"package":{"name":"gopkg.in/src-d/go-git.v4","ecosystem":"Go","purl":"pkg:golang/gopkg.in/src-d/go-git.v4"},"ranges":[{"type":"SEMVER","events":[{"introduced":"4.7.1"}]}],"ecosystem_specific":{},"database_specific":{"source":"https://vuln.go.dev/ID/GO-2024-2456.json"}},{"package":{"name":"github.com/go-git/go-git/v5","ecosystem":"Go","purl":"pkg:golang/github.com/go-git/go-git/v5"},"ranges":[{"type":"SEMVER","events":[{"introduced":"5.0.0"},{"fixed":"5.11.0"}]}],"ecosystem_specific":{"imports":[{"symbols":["AddOptions.Validate","Blame","BlameResult.String","Clone","CloneContext","CommitOptions.Validate","CreateTagOptions.Validate","GrepOptions.Validate","GrepResult.String","Init","InitWithOptions","NoMatchingRefSpecError.Error","Open","PlainClone","PlainCloneContext","PlainInit","PlainInitWithOptions","PlainOpen","PlainOpenWithOptions","Remote.Fetch","Remote.FetchContext","Remote.List","Remote.ListContext","Remote.Push","Remote.PushContext","Remote.String","Repository.BlobObject","Repository.BlobObjects","Repository.Branch","Repository.Branches","Repository.CommitObject","Repository.CommitObjects","Repository.Config","Repository.ConfigScoped","Repository.CreateBranch","Repository.CreateRemote","Repository.CreateRemoteAnonymous","Repository.CreateTag","Repository.DeleteBranch","Repository.DeleteObject","Repository.DeleteRemote","Repository.DeleteTag","Repository.Fetch","Repository.FetchContext","Repository.Grep","Repository.Head","Repository.Log","Repository.Notes","Repository.Object","Repository.Objects","Repository.Prune","Repository.Push","Repository.PushContext","Repository.Reference","Repository.References","Repository.Remote","Repository.Remotes","Repository.RepackObjects","Repository.ResolveRevision","Repository.SetConfig","Repository.Tag","Repository.TagObject","Repository.TagObjects","Repository.Tags","Repository.TreeObject","Repository.TreeObjects","ResetOptions.Validate","Status.String","Submodule.Init","Submodule.Repository","Submodule.Status","Submodule.Update","Submodule.UpdateContext","SubmoduleStatus.String","Submodules.Init","Submodules.Status","Submodules.Update","Submodules.UpdateContext","SubmodulesStatus.String","Worktree.Add","Worktree.AddGlob","Worktree.AddWithOptions","Worktree.Checkout","Worktree.Clean","Worktree.Commit","Worktree.Grep","Worktree.Move","Worktree.Pull","Worktree.PullContext","Worktree.Remove","Worktree.RemoveGlob","Worktree.Reset","Worktree.ResetSparsely","Worktree.Status","Worktree.Submodule","Worktree.Submodules","Worktree.checkoutFileSymlink","Worktree.createBranch","buildTreeHelper.BuildTree","checkFastForwardUpdate","isFastForward"],"path":"github.com/go-git/go-git/v5"},{"symbols":["Branch.Validate","Config.Unmarshal","Config.Validate","LoadConfig","ReadConfig","RemoteConfig.Validate"],"path":"github.com/go-git/go-git/v5/config"},{"symbols":["Commit.Stats","Commit.StatsContext","Patch.Stats","getFileStatsFromFilePatches"],"path":"github.com/go-git/go-git/v5/plumbing/object"},{"symbols":["ConfigStorage.Config","ConfigStorage.SetConfig","ModuleStorage.Module","NewStorage","NewStorageWithOptions","ObjectStorage.EncodedObject"],"path":"github.com/go-git/go-git/v5/storage/filesystem"},{"symbols":["DotGit.Alternates"],"path":"github.com/go-git/go-git/v5/storage/filesystem/dotgit"}]},"database_specific":{"source":"https://vuln.go.dev/ID/GO-2024-2456.json"}}],"schema_version":"1.7.5","credits":[{"name":"Ionut Lalu"}]}