CVE-2024-3817: 
Terraform Community vulnerability analysis and mitigation

HashiCorp's go-getter library was found to be vulnerable to argument injection when executing Git to discover remote branches, identified as CVE-2024-3817. The vulnerability affects go-getter versions 1.5.9 through 1.7.3, but does not impact the go-getter/v2 branch and package. This critical vulnerability was disclosed on April 17, 2024 (HashiCorp Advisory).

The vulnerability stems from how go-getter handles Git URLs during repository cloning operations. When a Git reference is not provided with the Git URL, go-getter attempts to check the remote repository's HEAD reference of its default branch by passing arguments to the Git binary on the host system. This implementation allows attackers to potentially format Git URLs to inject additional Git arguments into the Git command execution. The vulnerability has been assigned a CVSS v3.1 score of 9.8 (Critical), with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (NVD).

The vulnerability could allow attackers to inject malicious code during Git operations, potentially leading to system compromise. Given the critical CVSS score of 9.8, successful exploitation could result in complete system compromise with high impacts on confidentiality, integrity, and availability (Security Online).

Users are strongly advised to upgrade to go-getter version 1.7.4 or later, which contains the fix for this vulnerability. Organizations should evaluate the risk associated with their go-getter usage and prioritize the upgrade accordingly (HashiCorp Advisory).