CVE-2024-6257: 
Terraform Community vulnerability analysis and mitigation

HashiCorp's go-getter library (CVE-2024-6257) is affected by a vulnerability that can be exploited to execute arbitrary code through Git configuration manipulation. The vulnerability was discovered and disclosed on June 24, 2024, affecting go-getter versions up to 1.7.4. The issue has been assigned a CVSS v3.1 base score of 8.4 (HIGH) (HashiCorp Advisory).

The vulnerability occurs during Git operations when go-getter attempts to clone a repository to a specified destination. After the initial cloning step that initializes a git config, an attacker can modify the Git configuration before the update process. The vulnerability is classified as CWE-77 (Improper Neutralization of Special Elements used in a Command), indicating a command injection vulnerability. The CVSS vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H reflects the high severity of potential impact (HashiCorp Advisory).

If successfully exploited, this vulnerability could lead to arbitrary code execution on affected systems. The high CVSS score indicates potential severe impacts on confidentiality, integrity, and availability of the affected systems (HashiCorp Advisory).

HashiCorp has released version 1.7.5 of go-getter to address this vulnerability. Users are strongly advised to upgrade to this version or later. Organizations should evaluate their usage of go-getter and assess the associated risks in their specific context (HashiCorp Advisory).

The vulnerability was identified and reported by Kraken Security Labs, demonstrating ongoing security research in the open-source supply chain. HashiCorp has acknowledged the responsible disclosure and coordinated the release of security fixes (HashiCorp Advisory).