gitlab-rails-ee-fips-17.7
17.7.2-r0
9.8
CVSS V3
go-git has an Argument Injection via the URL field
An argument injection vulnerability was discovered in go-git versions prior to v5.13.
Successful exploitation of this vulnerability could allow an attacker to set arbitrary values to git-upload-pack flags. This only happens when the file transport protocol is being used, as that is the only protocol that shells out to git binaries.
Users running versions of go-git from v4 and above are recommended to upgrade to v5.13 in order to mitigate this vulnerability.
In cases where a bump to the latest version of go-git is not possible, we recommend users to enforce restrict validation rules for values passed in the URL field.
Thanks to @vin01 for responsibly disclosing this vulnerability to us.
