CVE-2023-49569: 
Packer vulnerability analysis and mitigation

A path traversal vulnerability (CVE-2023-49569) was discovered in go-git versions prior to v5.11. The vulnerability affects all versions from 4.0.0 up to (excluding) 5.11.0. This security issue was disclosed on January 9, 2024, and allows attackers to create and amend files across the filesystem when using specific configurations (GitHub Advisory).

The vulnerability specifically affects applications using ChrootOS, which is the default configuration when using 'Plain' versions of Open and Clone functions (e.g., PlainClone). Applications using BoundOS or in-memory filesystems are not affected. The vulnerability has been assigned a CVSS v3.1 base score of 9.8 (Critical), with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating network attack vector, low attack complexity, no privileges required, and high impact on confidentiality, integrity, and availability (GitHub Advisory).

In the worst-case scenario, this vulnerability could lead to remote code execution (RCE). The high severity rating indicates potential significant impact on affected systems, allowing attackers to manipulate files across the filesystem. This is specifically a go-git implementation issue and does not affect the upstream git cli (GitHub Advisory).

Users running versions of go-git from v4 and above are strongly recommended to upgrade to v5.11 or later to mitigate this vulnerability. For cases where immediate upgrade is not possible, it is recommended to limit go-git usage to only trusted Git servers as a temporary workaround (GitHub Advisory).

The vulnerability was responsibly disclosed by security researcher Ionut Lalu. Multiple organizations, including Red Hat, have acknowledged the severity of this vulnerability and have been actively working on updating their affected products (Red Hat Advisory).