This is a summary of the AI-generated 10-question deep analysis. The full version (longer answers, follow-up Q&A, related CVEs) requires login. Read the full analysis β
Q1What is this vulnerability? (Essence + Consequences)
π¨ **Essence**: A Path Traversal flaw in `go-git`. π **Consequences**: Attackers can create/modify files across file systems. π₯ **Impact**: High risk to Confidentiality, Integrity, and Availability (CVSS 9.8).
Q2Root Cause? (CWE/Flaw)
π‘οΈ **CWE**: CWE-22 (Improper Limitation of a Pathname to a Restricted Directory). π **Flaw**: Insufficient validation allows traversing outside intended directories.
π» **Privileges**: No authentication required (PR:N). π **Data**: Full read/write access to arbitrary files. π **Scope**: Cross-file system manipulation allowed.
π **Public Exp**: No specific PoC listed in data. π **Reference**: GitHub Security Advisory (GHSA-449p-3h89-pw88) available. β οΈ **Risk**: High CVSS suggests easy exploitation logic.
Q7How to self-check? (Features/Scanning)
π **Check**: Scan for `go-git` usage in Go projects. π **Version**: Verify if version < 5.11. π οΈ **Tool**: Use dependency scanners to detect vulnerable library versions.
Q8Is it fixed officially? (Patch/Mitigation)
π§ **Fix**: Upgrade to **go-git v5.11** or higher. π₯ **Source**: Official GitHub repository. π **Advisory**: See GHSA-449p-3h89-pw88 for details.
Q9What if no patch? (Workaround)
π§ **Workaround**: If upgrade impossible, restrict file system access permissions. π **Mitigation**: Implement strict input validation on git operations manually.β¦