CVE-2023-49569— Maliciously crafted Git server replies can lead to path traversal and RCE on go-git clients
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2023-49569
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Maliciously crafted Git server replies can lead to path traversal and RCE on go-git clients
Source: NVD (National Vulnerability Database)
Vulnerability Description
A path traversal vulnerability was discovered in go-git versions prior to v5.11. This vulnerability allows an attacker to create and amend files across the filesystem. In the worse case scenario, remote code execution could be achieved. Applications are only affected if they are using the ChrootOS https://pkg.go.dev/github.com/go-git/go-billy/v5/osfs#ChrootOS , which is the default when using "Plain" versions of Open and Clone funcs (e.g. PlainClone). Applications using BoundOS https://pkg.go.dev/github.com/go-git/go-billy/v5/osfs#BoundOS or in-memory filesystems are not affected by this issue. This is a go-git implementation issue and does not affect the upstream git cli.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
对路径名的限制不恰当(路径遍历)
Source: NVD (National Vulnerability Database)
Vulnerability Title
go-git 路径遍历漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
go-git是go-git开源的一个用纯 Go 编写的高度可扩展的 git 实现库。 go-git v5.11 之前版本存在路径遍历漏洞,该漏洞源于许攻击者跨文件系统创建和修改文件。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Shenlong Deep Dive — AI Deep Analysis
10-question deep dive: root cause, exploitation, mitigation, urgency. Read summary free, full version requires login.
Affected Products
II. Public POCs for CVE-2023-49569
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2023-49569
请登录查看更多情报信息。
IV. Related Vulnerabilities
Same product: go-git
- CVE-2026-41506
go-git Credential leak via cross-host redirect in smart HTTP - CVE-2026-33762
go-git: Missing validation decoding Index v4 files leads to - CVE-2026-34165
go-git: Maliciously crafted idx file can cause asymmetric me - CVE-2026-25934
go-git improperly verifies data integrity values for .idx an - CVE-2025-21614
go-git clients vulnerable to DoS via maliciously crafted Git
Same vendor: go-git
- CVE-2026-41506
go-git Credential leak via cross-host redirect in smart HTTP - CVE-2026-33762
go-git: Missing validation decoding Index v4 files leads to - CVE-2026-34165
go-git: Maliciously crafted idx file can cause asymmetric me - CVE-2026-25934
go-git improperly verifies data integrity values for .idx an - CVE-2025-21614
go-git clients vulnerable to DoS via maliciously crafted Git
Same weakness: CWE-22
- CVE-2026-8274
npitre cramfs-tools Directory cramfsck.c do_directory path t - CVE-2022-50956
WordPress Plugin amministrazione-aperta 3.7.3 Local File Rea - CVE-2026-8215
Industrial Application Software IAS Canias ERP RMI iasReques - CVE-2026-42605
AzuraCast: Path Traversal in `currentDirectory` Parameter En - CVE-2026-42574
apko dirFS has a symlink-following path traversal that allow
V. Comments for CVE-2023-49569
No comments yet