CVE-2023-49568: 
Packer vulnerability analysis and mitigation

A denial of service (DoS) vulnerability was discovered in go-git versions prior to v5.11. The vulnerability, identified as CVE-2023-49568, affects go-git versions from 4.0.0 up to (excluding) 5.11.0. This security issue was disclosed on December 24, 2023, and allows attackers to perform denial of service attacks through specially crafted responses from Git servers. It's important to note that this is specifically a go-git implementation issue and does not affect the upstream git cli. Applications using only the in-memory filesystem supported by go-git are not affected by this vulnerability (GitHub Advisory).

The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (High severity) with the following vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. The attack vector is network-based, with low attack complexity and requires no privileges or user interaction. The scope is unchanged, and while there is no impact on confidentiality or integrity, the availability impact is high. The vulnerability is classified under CWE-20 (Improper Input Validation) (GitHub Advisory, NVD).

When exploited, this vulnerability can trigger resource exhaustion in go-git clients, leading to denial of service conditions. The impact is specifically focused on availability, with no reported effects on system confidentiality or integrity. The high CVSS score for availability impact indicates that the vulnerability can cause a total shutdown of the affected resource (GitHub Advisory).

Users running versions of go-git from v4 and above are recommended to upgrade to v5.11 or later to mitigate this vulnerability. For cases where upgrading is not immediately possible, it is recommended to limit go-git usage to only trusted Git servers. Applications using only the in-memory filesystem supported by go-git are not affected and don't require mitigation (GitHub Advisory).