CVE-2025-21613 - Vulnerability Details

go-git is a highly extensible git implementation library written in pure Go. An argument injection vulnerability was discovered in go-git versions prior to v5.13. Successful exploitation of this vulnerability could allow an attacker to set arbitrary values to git-upload-pack flags. This only happens when the file transport protocol is being used, as that is the only protocol that shells out to git binaries. This vulnerability is fixed in 5.13.0.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements Present

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact total

Vendors	Products
Redhat	Advanced Cluster Security Enterprise Linux Openshift Openshift Builds Openshift Gitops Openstack Rhel Eus Trusted Profile Analyzer

No data.

Package	CPE	Advisory	Released Date
Red Hat Advanced Cluster Security 4.4
advanced-cluster-security/rhacs-main-rhel8:4.4.8-2	cpe:/a:redhat:advanced_cluster_security:4.4::el8	RHSA-2025:1468	2025-02-13T00:00:00Z
advanced-cluster-security/rhacs-rhel8-operator:4.4.8-2	cpe:/a:redhat:advanced_cluster_security:4.4::el8	RHSA-2025:1468	2025-02-13T00:00:00Z
advanced-cluster-security/rhacs-roxctl-rhel8:4.4.8-2	cpe:/a:redhat:advanced_cluster_security:4.4::el8	RHSA-2025:1468	2025-02-13T00:00:00Z
Red Hat Advanced Cluster Security 4.5
advanced-cluster-security/rhacs-main-rhel8:4.5.6-2	cpe:/a:redhat:advanced_cluster_security:4.5::el8	RHSA-2025:1334	2025-02-11T00:00:00Z
advanced-cluster-security/rhacs-rhel8-operator:4.5.6-2	cpe:/a:redhat:advanced_cluster_security:4.5::el8	RHSA-2025:1334	2025-02-11T00:00:00Z
advanced-cluster-security/rhacs-roxctl-rhel8:4.5.6-2	cpe:/a:redhat:advanced_cluster_security:4.5::el8	RHSA-2025:1334	2025-02-11T00:00:00Z
advanced-cluster-security/rhacs-scanner-rhel8:4.5.6-2	cpe:/a:redhat:advanced_cluster_security:4.5::el8	RHSA-2025:1334	2025-02-11T00:00:00Z
advanced-cluster-security/rhacs-scanner-slim-rhel8:4.5.6-2	cpe:/a:redhat:advanced_cluster_security:4.5::el8	RHSA-2025:1334	2025-02-11T00:00:00Z
advanced-cluster-security/rhacs-scanner-v4-db-rhel8:4.5.6-1	cpe:/a:redhat:advanced_cluster_security:4.5::el8	RHSA-2025:1334	2025-02-11T00:00:00Z
advanced-cluster-security/rhacs-scanner-v4-rhel8:4.5.6-2	cpe:/a:redhat:advanced_cluster_security:4.5::el8	RHSA-2025:1334	2025-02-11T00:00:00Z
Red Hat Advanced Cluster Security 4.6
advanced-cluster-security/rhacs-central-db-rhel8:4.6.2-2	cpe:/a:redhat:advanced_cluster_security:4.6::el8	RHSA-2025:0907	2025-02-03T00:00:00Z
advanced-cluster-security/rhacs-collector-rhel8:4.6.2-2	cpe:/a:redhat:advanced_cluster_security:4.6::el8	RHSA-2025:0907	2025-02-03T00:00:00Z
advanced-cluster-security/rhacs-collector-slim-rhel8:4.6.2-2	cpe:/a:redhat:advanced_cluster_security:4.6::el8	RHSA-2025:0907	2025-02-03T00:00:00Z
advanced-cluster-security/rhacs-main-rhel8:4.6.2-2	cpe:/a:redhat:advanced_cluster_security:4.6::el8	RHSA-2025:0907	2025-02-03T00:00:00Z
advanced-cluster-security/rhacs-operator-bundle:4.6.2-2	cpe:/a:redhat:advanced_cluster_security:4.6::el8	RHSA-2025:0907	2025-02-03T00:00:00Z
advanced-cluster-security/rhacs-rhel8-operator:4.6.2-2	cpe:/a:redhat:advanced_cluster_security:4.6::el8	RHSA-2025:0907	2025-02-03T00:00:00Z
advanced-cluster-security/rhacs-roxctl-rhel8:4.6.2-2	cpe:/a:redhat:advanced_cluster_security:4.6::el8	RHSA-2025:0907	2025-02-03T00:00:00Z
advanced-cluster-security/rhacs-scanner-db-rhel8:4.6.2-2	cpe:/a:redhat:advanced_cluster_security:4.6::el8	RHSA-2025:0907	2025-02-03T00:00:00Z
advanced-cluster-security/rhacs-scanner-db-slim-rhel8:4.6.2-2	cpe:/a:redhat:advanced_cluster_security:4.6::el8	RHSA-2025:0907	2025-02-03T00:00:00Z
advanced-cluster-security/rhacs-scanner-rhel8:4.6.2-2	cpe:/a:redhat:advanced_cluster_security:4.6::el8	RHSA-2025:0907	2025-02-03T00:00:00Z
advanced-cluster-security/rhacs-scanner-slim-rhel8:4.6.2-2	cpe:/a:redhat:advanced_cluster_security:4.6::el8	RHSA-2025:0907	2025-02-03T00:00:00Z
advanced-cluster-security/rhacs-scanner-v4-db-rhel8:4.6.2-2	cpe:/a:redhat:advanced_cluster_security:4.6::el8	RHSA-2025:0907	2025-02-03T00:00:00Z
advanced-cluster-security/rhacs-scanner-v4-rhel8:4.6.2-2	cpe:/a:redhat:advanced_cluster_security:4.6::el8	RHSA-2025:0907	2025-02-03T00:00:00Z
Red Hat Enterprise Linux 8
grafana-0:9.2.10-21.el8_10	cpe:/a:redhat:enterprise_linux:8	RHSA-2025:0401	2025-01-20T00:00:00Z
Red Hat Enterprise Linux 9.4 Extended Update Support
grafana-0:9.2.10-21.el9_4	cpe:/a:redhat:rhel_eus:9.4	RHSA-2025:0662	2025-01-23T00:00:00Z
Red Hat OpenShift Container Platform 4.16
openshift4/ose-helm-rhel9-operator:v4.16.0-202502130836.p0.g26e182e.assembly.stream.el9	cpe:/a:redhat:openshift:4.16::el9	RHSA-2025:1704	2025-02-27T00:00:00Z
openshift4/ose-operator-sdk-rhel9:v4.16.0-202502190034.p0.g26e182e.assembly.stream.el9	cpe:/a:redhat:openshift:4.16::el9	RHSA-2025:1704	2025-02-27T00:00:00Z
Red Hat OpenShift Container Platform 4.17
openshift4/oc-mirror-plugin-rhel9:v4.17.0-202501221434.p0.g39bedc7.assembly.stream.el9	cpe:/a:redhat:openshift:4.17::el9	RHSA-2025:0654	2025-01-28T00:00:00Z
openshift4/ose-helm-rhel9-operator:v4.17.0-202502051104.p0.g61a705e.assembly.stream.el9	cpe:/a:redhat:openshift:4.17::el9	RHSA-2025:1119	2025-02-11T00:00:00Z
openshift4/ose-operator-sdk-rhel9:v4.17.0-202502051104.p0.g61a705e.assembly.stream.el9	cpe:/a:redhat:openshift:4.17::el9	RHSA-2025:1119	2025-02-11T00:00:00Z
Red Hat OpenShift Container Platform 4.18
openshift4/oc-mirror-plugin-rhel9:v4.18.0-202502100934.p0.gc00c7c9.assembly.stream.el9	cpe:/a:redhat:openshift:4.18::el9	RHSA-2024:6122	2025-02-25T00:00:00Z
openshift4/ose-olm-catalogd-rhel9:v4.18.0-202502052031.p0.gf95a88f.assembly.stream.el9	cpe:/a:redhat:openshift:4.18::el9	RHSA-2024:6122	2025-02-25T00:00:00Z
openshift4/ose-olm-operator-controller-rhel9:v4.18.0-202502051931.p0.g74a2477.assembly.stream.el9	cpe:/a:redhat:openshift:4.18::el9	RHSA-2024:6122	2025-02-25T00:00:00Z
Red Hat OpenShift GitOps 1.14
openshift-gitops-argocd-container-v1.14.3-4	cpe:/a:redhat:openshift_gitops:1.14::el8	RHSA-2025:3069	2025-03-20T00:00:00Z
openshift-gitops-argocd-rhel9-container-v1.14.3-1	cpe:/a:redhat:openshift_gitops:1.14::el8	RHSA-2025:3069	2025-03-20T00:00:00Z
openshift-gitops-argo-rollouts-container-v1.14.3-4	cpe:/a:redhat:openshift_gitops:1.14::el8	RHSA-2025:3069	2025-03-20T00:00:00Z
openshift-gitops-console-plugin-container-v1.14.3-4	cpe:/a:redhat:openshift_gitops:1.14::el8	RHSA-2025:3069	2025-03-20T00:00:00Z
openshift-gitops-container-v1.14.3-4	cpe:/a:redhat:openshift_gitops:1.14::el8	RHSA-2025:3069	2025-03-20T00:00:00Z
openshift-gitops-dex-container-v1.14.3-4	cpe:/a:redhat:openshift_gitops:1.14::el8	RHSA-2025:3069	2025-03-20T00:00:00Z
openshift-gitops-kam-delivery-container-v1.14.3-4	cpe:/a:redhat:openshift_gitops:1.14::el8	RHSA-2025:3069	2025-03-20T00:00:00Z
openshift-gitops-must-gather-container-v1.14.3-4	cpe:/a:redhat:openshift_gitops:1.14::el8	RHSA-2025:3069	2025-03-20T00:00:00Z
openshift-gitops-operator-bundle-container-v1.14.3-4	cpe:/a:redhat:openshift_gitops:1.14::el8	RHSA-2025:3069	2025-03-20T00:00:00Z
openshift-gitops-operator-container-v1.14.3-4	cpe:/a:redhat:openshift_gitops:1.14::el8	RHSA-2025:3069	2025-03-20T00:00:00Z
Red Hat OpenShift GitOps 1.15
openshift-gitops-1/argocd-extensions-rhel8:v1.15.1-7	cpe:/a:redhat:openshift_gitops:1.15::el8	RHSA-2025:1888	2025-02-26T00:00:00Z
openshift-gitops-1/argocd-rhel8:v1.15.1-7	cpe:/a:redhat:openshift_gitops:1.15::el8	RHSA-2025:1888	2025-02-26T00:00:00Z
openshift-gitops-1/argocd-rhel9:v1.15.1-1	cpe:/a:redhat:openshift_gitops:1.15::el8	RHSA-2025:1888	2025-02-26T00:00:00Z
openshift-gitops-1/argo-rollouts-rhel8:v1.15.1-7	cpe:/a:redhat:openshift_gitops:1.15::el8	RHSA-2025:1888	2025-02-26T00:00:00Z
openshift-gitops-1/console-plugin-rhel8:v1.15.1-7	cpe:/a:redhat:openshift_gitops:1.15::el8	RHSA-2025:1888	2025-02-26T00:00:00Z
openshift-gitops-1/dex-rhel8:v1.15.1-7	cpe:/a:redhat:openshift_gitops:1.15::el8	RHSA-2025:1888	2025-02-26T00:00:00Z
openshift-gitops-1/gitops-operator-bundle:v1.15.1-7	cpe:/a:redhat:openshift_gitops:1.15::el8	RHSA-2025:1888	2025-02-26T00:00:00Z
openshift-gitops-1/gitops-rhel8:v1.15.1-7	cpe:/a:redhat:openshift_gitops:1.15::el8	RHSA-2025:1888	2025-02-26T00:00:00Z
openshift-gitops-1/gitops-rhel8-operator:v1.15.1-7	cpe:/a:redhat:openshift_gitops:1.15::el8	RHSA-2025:1888	2025-02-26T00:00:00Z
openshift-gitops-1/must-gather-rhel8:v1.15.1-7	cpe:/a:redhat:openshift_gitops:1.15::el8	RHSA-2025:1888	2025-02-26T00:00:00Z
Red Hat OpenStack Platform 16.2
rhosp-rhel8/osp-director-agent:1.3.0-17	cpe:/a:redhat:openstack:16.2::el8	RHSA-2025:1869	2025-02-26T00:00:00Z
rhosp-rhel8/osp-director-downloader:1.3.0-17	cpe:/a:redhat:openstack:16.2::el8	RHSA-2025:1869	2025-02-26T00:00:00Z
rhosp-rhel8/osp-director-operator:1.3.0-15	cpe:/a:redhat:openstack:16.2::el8	RHSA-2025:1869	2025-02-26T00:00:00Z
rhosp-rhel8/osp-director-operator-bundle:1.3.0-33	cpe:/a:redhat:openstack:16.2::el8	RHSA-2025:1869	2025-02-26T00:00:00Z
Red Hat OpenStack Platform 17.1 for RHEL 9
rhosp-rhel9/osp-director-agent:1.3.1-20	cpe:/a:redhat:openstack:17.1::el9	RHSA-2025:1870	2025-02-26T00:00:00Z
rhosp-rhel9/osp-director-downloader:1.3.1-18	cpe:/a:redhat:openstack:17.1::el9	RHSA-2025:1870	2025-02-26T00:00:00Z
rhosp-rhel9/osp-director-operator:1.3.1-20	cpe:/a:redhat:openstack:17.1::el9	RHSA-2025:1870	2025-02-26T00:00:00Z
rhosp-rhel9/osp-director-operator-bundle:1.3.1-41	cpe:/a:redhat:openstack:17.1::el9	RHSA-2025:1870	2025-02-26T00:00:00Z
Builds for Red Hat OpenShift 1.1.1
registry.redhat.io/openshift-builds/openshift-builds-git-cloner-rhel9:sha256:a580ad568b67732135f47081d17e92f2848d571f934f31ab650984cc8eb3b0f4	cpe:/a:redhat:openshift_builds:1.1::el9	RHSA-2025:0715	2025-01-27T00:00:00Z
Builds for Red Hat OpenShift 1.2.1
registry.redhat.io/openshift-builds/openshift-builds-git-cloner-rhel9:sha256:f99a08e2fc4b3d35af37d96da9c6d397ccd05cd3a03fcc588ed6a7e12a1d1575	cpe:/a:redhat:openshift_builds:1.2::el9	RHSA-2025:0754	2025-01-28T00:00:00Z
Red Hat Trusted Profile Analyzer 1.2
registry.redhat.io/rhtpa/rhtpa-guac-rhel9:sha256:2dc71ee6e8c55a29b6dd68006c7d0365154d35c850021d8b4b77e24b4e8fd1a6	cpe:/a:redhat:trusted_profile_analyzer:1.2::el9	RHSA-2025:0444	2025-01-20T00:00:00Z
registry.redhat.io/rhtpa/rhtpa-trustification-service-rhel9:sha256:eb2e0b1003ef77c39b28fe9fbe2ca8141aa72160bdcd7d55eddac2c16629d7c4	cpe:/a:redhat:trusted_profile_analyzer:1.2::el9	RHSA-2025:0445	2025-01-20T00:00:00Z

References

Link	Providers
https://github.com/go-git/go-git/security/advisories/GHSA-v725-9546-7q7m
https://nvd.nist.gov/vuln/detail/CVE-2025-21613
https://www.cve.org/CVERecord?id=CVE-2025-21613

History

Fri, 21 Mar 2025 03:00:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:/a:redhat:openshift_gitops:1.15::el8

Thu, 20 Mar 2025 15:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Redhat openshift Gitops
CPEs		cpe:/a:redhat:openshift_gitops:1.14::el8
Vendors & Products		Redhat openshift Gitops

Thu, 27 Feb 2025 15:15:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:/a:redhat:openshift:4.16::el9

Thu, 27 Feb 2025 02:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Redhat openstack
CPEs		cpe:/a:redhat:openstack:16.2::el8 cpe:/a:redhat:openstack:17.1::el9
Vendors & Products		Redhat openstack

Tue, 25 Feb 2025 15:00:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:/a:redhat:openshift:4.18::el9

Fri, 14 Feb 2025 03:00:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:/a:redhat:advanced_cluster_security:4.4::el8

Thu, 13 Feb 2025 01:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Redhat Redhat advanced Cluster Security Redhat enterprise Linux Redhat openshift Redhat openshift Builds Redhat rhel Eus Redhat trusted Profile Analyzer
CPEs		cpe:/a:redhat:advanced_cluster_security:4.5::el8 cpe:/a:redhat:advanced_cluster_security:4.6::el8 cpe:/a:redhat:enterprise_linux:8 cpe:/a:redhat:openshift:4.17::el9 cpe:/a:redhat:openshift_builds:1.1::el9 cpe:/a:redhat:openshift_builds:1.2::el9 cpe:/a:redhat:rhel_eus:9.4 cpe:/a:redhat:trusted_profile_analyzer:1.2::el9
Vendors & Products		Redhat Redhat advanced Cluster Security Redhat enterprise Linux Redhat openshift Redhat openshift Builds Redhat rhel Eus Redhat trusted Profile Analyzer

Tue, 07 Jan 2025 01:30:00 +0000

Type	Values Removed	Values Added
References		https://nvd.nist.gov/vuln/detail/CVE-2025-21613 https://www.cve.org/CVERecord?id=CVE-2025-21613
Metrics	threat_severity `None`	threat_severity `Important`

Mon, 06 Jan 2025 17:15:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}` ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Mon, 06 Jan 2025 16:30:00 +0000

Type	Values Removed	Values Added
Description		go-git is a highly extensible git implementation library written in pure Go. An argument injection vulnerability was discovered in go-git versions prior to v5.13. Successful exploitation of this vulnerability could allow an attacker to set arbitrary values to git-upload-pack flags. This only happens when the file transport protocol is being used, as that is the only protocol that shells out to git binaries. This vulnerability is fixed in 5.13.0.
Title		go-git has an Argument Injection via the URL field
Weaknesses		CWE-88
References		https://github.com/go-git/go-git/security/advisories/GHSA-v725-9546-7q7m
Metrics		cvssV4_0 `{'score': 9.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/U:Clear'}`

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2025-01-06T16:13:10.611Z

Updated: 2025-01-06T16:45:02.671Z

Reserved: 2024-12-29T03:00:24.713Z

Link: CVE-2025-21613

Vulnrichment

Updated: 2025-01-06T16:44:56.937Z

NVD

Status : Received

Published: 2025-01-06T17:15:47.043

Modified: 2025-01-06T17:15:47.043

Link: CVE-2025-21613

Redhat

Severity : Important

Publid Date: 2025-01-06T16:13:10Z

Links: CVE-2025-21613 - Bugzilla

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-21613", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-12-29T03:00:24.713Z", "datePublished": "2025-01-06T16:13:10.611Z", "dateUpdated": "2025-01-06T16:45:02.671Z"}, "containers": {"cna": {"title": "go-git has an Argument Injection via the URL field", "problemTypes": [{"descriptions": [{"cweId": "CWE-88", "lang": "en", "description": "CWE-88: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 9.2, "baseSeverity": "CRITICAL", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/U:Clear", "version": "4.0"}}], "references": [{"name": "https://github.com/go-git/go-git/security/advisories/GHSA-v725-9546-7q7m", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/go-git/go-git/security/advisories/GHSA-v725-9546-7q7m"}], "affected": [{"vendor": "go-git", "product": "go-git", "versions": [{"version": ">= 4.0.0, < 5.13.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-01-06T16:13:10.611Z"}, "descriptions": [{"lang": "en", "value": "go-git is a highly extensible git implementation library written in pure Go. An argument injection vulnerability was discovered in go-git versions prior to v5.13. Successful exploitation of this vulnerability could allow an attacker to set arbitrary values to git-upload-pack flags. This only happens when the file transport protocol is being used, as that is the only protocol that shells out to git binaries. This vulnerability is fixed in 5.13.0."}], "source": {"advisory": "GHSA-v725-9546-7q7m", "discovery": "UNKNOWN"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-88", "lang": "en", "description": "CWE-88 Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2025-01-06T16:38:34.120792Z", "id": "CVE-2025-21613", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-01-06T16:45:02.671Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-21613", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-01-06T16:38:34.120792Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-88", "description": "CWE-88 Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-01-06T16:44:56.937Z"}}], "cna": {"title": "go-git has an Argument Injection via the URL field", "source": {"advisory": "GHSA-v725-9546-7q7m", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 9.2, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/U:Clear", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "go-git", "product": "go-git", "versions": [{"status": "affected", "version": ">= 4.0.0, < 5.13.0"}]}], "references": [{"url": "https://github.com/go-git/go-git/security/advisories/GHSA-v725-9546-7q7m", "name": "https://github.com/go-git/go-git/security/advisories/GHSA-v725-9546-7q7m", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "go-git is a highly extensible git implementation library written in pure Go. An argument injection vulnerability was discovered in go-git versions prior to v5.13. Successful exploitation of this vulnerability could allow an attacker to set arbitrary values to git-upload-pack flags. This only happens when the file transport protocol is being used, as that is the only protocol that shells out to git binaries. This vulnerability is fixed in 5.13.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-88", "description": "CWE-88: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-01-06T16:13:10.611Z"}}}, "cveMetadata": {"cveId": "CVE-2025-21613", "state": "PUBLISHED", "dateUpdated": "2025-01-06T16:45:02.671Z", "dateReserved": "2024-12-29T03:00:24.713Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2025-01-06T16:13:10.611Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "go-git is a highly extensible git implementation library written in pure Go. An argument injection vulnerability was discovered in go-git versions prior to v5.13. Successful exploitation of this vulnerability could allow an attacker to set arbitrary values to git-upload-pack flags. This only happens when the file transport protocol is being used, as that is the only protocol that shells out to git binaries. This vulnerability is fixed in 5.13.0."}], "id": "CVE-2025-21613", "lastModified": "2025-01-06T17:15:47.043", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}], "cvssMetricV40": [{"cvssData": {"attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "automatable": "NOT_DEFINED", "availabilityRequirements": "NOT_DEFINED", "baseScore": 9.2, "baseSeverity": "CRITICAL", "confidentialityRequirements": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirements": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubsequentSystemAvailability": "NOT_DEFINED", "modifiedSubsequentSystemConfidentiality": "NOT_DEFINED", "modifiedSubsequentSystemIntegrity": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnerableSystemAvailability": "NOT_DEFINED", "modifiedVulnerableSystemConfidentiality": "NOT_DEFINED", "modifiedVulnerableSystemIntegrity": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "CLEAR", "recovery": "NOT_DEFINED", "safety": "NOT_DEFINED", "subsequentSystemAvailability": "NONE", "subsequentSystemConfidentiality": "NONE", "subsequentSystemIntegrity": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Clear", "version": "4.0", "vulnerabilityResponseEffort": "NOT_DEFINED", "vulnerableSystemAvailability": "HIGH", "vulnerableSystemConfidentiality": "HIGH", "vulnerableSystemIntegrity": "HIGH"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2025-01-06T17:15:47.043", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/go-git/go-git/security/advisories/GHSA-v725-9546-7q7m"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-88"}], "source": "security-advisories@github.com", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-88"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2025:1468", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.4::el8", "package": "advanced-cluster-security/rhacs-main-rhel8:4.4.8-2", "product_name": "Red Hat Advanced Cluster Security 4.4", "release_date": "2025-02-13T00:00:00Z"}, {"advisory": "RHSA-2025:1468", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.4::el8", "package": "advanced-cluster-security/rhacs-rhel8-operator:4.4.8-2", "product_name": "Red Hat Advanced Cluster Security 4.4", "release_date": "2025-02-13T00:00:00Z"}, {"advisory": "RHSA-2025:1468", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.4::el8", "package": "advanced-cluster-security/rhacs-roxctl-rhel8:4.4.8-2", "product_name": "Red Hat Advanced Cluster Security 4.4", "release_date": "2025-02-13T00:00:00Z"}, {"advisory": "RHSA-2025:1334", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.5::el8", "package": "advanced-cluster-security/rhacs-main-rhel8:4.5.6-2", "product_name": "Red Hat Advanced Cluster Security 4.5", "release_date": "2025-02-11T00:00:00Z"}, {"advisory": "RHSA-2025:1334", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.5::el8", "package": "advanced-cluster-security/rhacs-rhel8-operator:4.5.6-2", "product_name": "Red Hat Advanced Cluster Security 4.5", "release_date": "2025-02-11T00:00:00Z"}, {"advisory": "RHSA-2025:1334", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.5::el8", "package": "advanced-cluster-security/rhacs-roxctl-rhel8:4.5.6-2", "product_name": "Red Hat Advanced Cluster Security 4.5", "release_date": "2025-02-11T00:00:00Z"}, {"advisory": "RHSA-2025:1334", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.5::el8", "package": "advanced-cluster-security/rhacs-scanner-rhel8:4.5.6-2", "product_name": "Red Hat Advanced Cluster Security 4.5", "release_date": "2025-02-11T00:00:00Z"}, {"advisory": "RHSA-2025:1334", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.5::el8", "package": "advanced-cluster-security/rhacs-scanner-slim-rhel8:4.5.6-2", "product_name": "Red Hat Advanced Cluster Security 4.5", "release_date": "2025-02-11T00:00:00Z"}, {"advisory": "RHSA-2025:1334", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.5::el8", "package": "advanced-cluster-security/rhacs-scanner-v4-db-rhel8:4.5.6-1", "product_name": "Red Hat Advanced Cluster Security 4.5", "release_date": "2025-02-11T00:00:00Z"}, {"advisory": "RHSA-2025:1334", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.5::el8", "package": "advanced-cluster-security/rhacs-scanner-v4-rhel8:4.5.6-2", "product_name": "Red Hat Advanced Cluster Security 4.5", "release_date": "2025-02-11T00:00:00Z"}, {"advisory": "RHSA-2025:0907", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.6::el8", "package": "advanced-cluster-security/rhacs-central-db-rhel8:4.6.2-2", "product_name": "Red Hat Advanced Cluster Security 4.6", "release_date": "2025-02-03T00:00:00Z"}, {"advisory": "RHSA-2025:0907", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.6::el8", "package": "advanced-cluster-security/rhacs-collector-rhel8:4.6.2-2", "product_name": "Red Hat Advanced Cluster Security 4.6", "release_date": "2025-02-03T00:00:00Z"}, {"advisory": "RHSA-2025:0907", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.6::el8", "package": "advanced-cluster-security/rhacs-collector-slim-rhel8:4.6.2-2", "product_name": "Red Hat Advanced Cluster Security 4.6", "release_date": "2025-02-03T00:00:00Z"}, {"advisory": "RHSA-2025:0907", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.6::el8", "package": "advanced-cluster-security/rhacs-main-rhel8:4.6.2-2", "product_name": "Red Hat Advanced Cluster Security 4.6", "release_date": "2025-02-03T00:00:00Z"}, {"advisory": "RHSA-2025:0907", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.6::el8", "package": "advanced-cluster-security/rhacs-operator-bundle:4.6.2-2", "product_name": "Red Hat Advanced Cluster Security 4.6", "release_date": "2025-02-03T00:00:00Z"}, {"advisory": "RHSA-2025:0907", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.6::el8", "package": "advanced-cluster-security/rhacs-rhel8-operator:4.6.2-2", "product_name": "Red Hat Advanced Cluster Security 4.6", "release_date": "2025-02-03T00:00:00Z"}, {"advisory": "RHSA-2025:0907", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.6::el8", "package": "advanced-cluster-security/rhacs-roxctl-rhel8:4.6.2-2", "product_name": "Red Hat Advanced Cluster Security 4.6", "release_date": "2025-02-03T00:00:00Z"}, {"advisory": "RHSA-2025:0907", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.6::el8", "package": "advanced-cluster-security/rhacs-scanner-db-rhel8:4.6.2-2", "product_name": "Red Hat Advanced Cluster Security 4.6", "release_date": "2025-02-03T00:00:00Z"}, {"advisory": "RHSA-2025:0907", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.6::el8", "package": "advanced-cluster-security/rhacs-scanner-db-slim-rhel8:4.6.2-2", "product_name": "Red Hat Advanced Cluster Security 4.6", "release_date": "2025-02-03T00:00:00Z"}, {"advisory": "RHSA-2025:0907", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.6::el8", "package": "advanced-cluster-security/rhacs-scanner-rhel8:4.6.2-2", "product_name": "Red Hat Advanced Cluster Security 4.6", "release_date": "2025-02-03T00:00:00Z"}, {"advisory": "RHSA-2025:0907", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.6::el8", "package": "advanced-cluster-security/rhacs-scanner-slim-rhel8:4.6.2-2", "product_name": "Red Hat Advanced Cluster Security 4.6", "release_date": "2025-02-03T00:00:00Z"}, {"advisory": "RHSA-2025:0907", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.6::el8", "package": "advanced-cluster-security/rhacs-scanner-v4-db-rhel8:4.6.2-2", "product_name": "Red Hat Advanced Cluster Security 4.6", "release_date": "2025-02-03T00:00:00Z"}, {"advisory": "RHSA-2025:0907", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.6::el8", "package": "advanced-cluster-security/rhacs-scanner-v4-rhel8:4.6.2-2", "product_name": "Red Hat Advanced Cluster Security 4.6", "release_date": "2025-02-03T00:00:00Z"}, {"advisory": "RHSA-2025:0401", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "grafana-0:9.2.10-21.el8_10", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2025-01-20T00:00:00Z"}, {"advisory": "RHSA-2025:0662", "cpe": "cpe:/a:redhat:rhel_eus:9.4", "package": "grafana-0:9.2.10-21.el9_4", "product_name": "Red Hat Enterprise Linux 9.4 Extended Update Support", "release_date": "2025-01-23T00:00:00Z"}, {"advisory": "RHSA-2025:1704", "cpe": "cpe:/a:redhat:openshift:4.16::el9", "package": "openshift4/ose-helm-rhel9-operator:v4.16.0-202502130836.p0.g26e182e.assembly.stream.el9", "product_name": "Red Hat OpenShift Container Platform 4.16", "release_date": "2025-02-27T00:00:00Z"}, {"advisory": "RHSA-2025:1704", "cpe": "cpe:/a:redhat:openshift:4.16::el9", "package": "openshift4/ose-operator-sdk-rhel9:v4.16.0-202502190034.p0.g26e182e.assembly.stream.el9", "product_name": "Red Hat OpenShift Container Platform 4.16", "release_date": "2025-02-27T00:00:00Z"}, {"advisory": "RHSA-2025:0654", "cpe": "cpe:/a:redhat:openshift:4.17::el9", "package": "openshift4/oc-mirror-plugin-rhel9:v4.17.0-202501221434.p0.g39bedc7.assembly.stream.el9", "product_name": "Red Hat OpenShift Container Platform 4.17", "release_date": "2025-01-28T00:00:00Z"}, {"advisory": "RHSA-2025:1119", "cpe": "cpe:/a:redhat:openshift:4.17::el9", "package": "openshift4/ose-helm-rhel9-operator:v4.17.0-202502051104.p0.g61a705e.assembly.stream.el9", "product_name": "Red Hat OpenShift Container Platform 4.17", "release_date": "2025-02-11T00:00:00Z"}, {"advisory": "RHSA-2025:1119", "cpe": "cpe:/a:redhat:openshift:4.17::el9", "package": "openshift4/ose-operator-sdk-rhel9:v4.17.0-202502051104.p0.g61a705e.assembly.stream.el9", "product_name": "Red Hat OpenShift Container Platform 4.17", "release_date": "2025-02-11T00:00:00Z"}, {"advisory": "RHSA-2024:6122", "cpe": "cpe:/a:redhat:openshift:4.18::el9", "package": "openshift4/oc-mirror-plugin-rhel9:v4.18.0-202502100934.p0.gc00c7c9.assembly.stream.el9", "product_name": "Red Hat OpenShift Container Platform 4.18", "release_date": "2025-02-25T00:00:00Z"}, {"advisory": "RHSA-2024:6122", "cpe": "cpe:/a:redhat:openshift:4.18::el9", "package": "openshift4/ose-olm-catalogd-rhel9:v4.18.0-202502052031.p0.gf95a88f.assembly.stream.el9", "product_name": "Red Hat OpenShift Container Platform 4.18", "release_date": "2025-02-25T00:00:00Z"}, {"advisory": "RHSA-2024:6122", "cpe": "cpe:/a:redhat:openshift:4.18::el9", "package": "openshift4/ose-olm-operator-controller-rhel9:v4.18.0-202502051931.p0.g74a2477.assembly.stream.el9", "product_name": "Red Hat OpenShift Container Platform 4.18", "release_date": "2025-02-25T00:00:00Z"}, {"advisory": "RHSA-2025:3069", "cpe": "cpe:/a:redhat:openshift_gitops:1.14::el8", "package": "openshift-gitops-argocd-container-v1.14.3-4", "product_name": "Red Hat OpenShift GitOps 1.14", "release_date": "2025-03-20T00:00:00Z"}, {"advisory": "RHSA-2025:3069", "cpe": "cpe:/a:redhat:openshift_gitops:1.14::el8", "package": "openshift-gitops-argocd-rhel9-container-v1.14.3-1", "product_name": "Red Hat OpenShift GitOps 1.14", "release_date": "2025-03-20T00:00:00Z"}, {"advisory": "RHSA-2025:3069", "cpe": "cpe:/a:redhat:openshift_gitops:1.14::el8", "package": "openshift-gitops-argo-rollouts-container-v1.14.3-4", "product_name": "Red Hat OpenShift GitOps 1.14", "release_date": "2025-03-20T00:00:00Z"}, {"advisory": "RHSA-2025:3069", "cpe": "cpe:/a:redhat:openshift_gitops:1.14::el8", "package": "openshift-gitops-console-plugin-container-v1.14.3-4", "product_name": "Red Hat OpenShift GitOps 1.14", "release_date": "2025-03-20T00:00:00Z"}, {"advisory": "RHSA-2025:3069", "cpe": "cpe:/a:redhat:openshift_gitops:1.14::el8", "package": "openshift-gitops-container-v1.14.3-4", "product_name": "Red Hat OpenShift GitOps 1.14", "release_date": "2025-03-20T00:00:00Z"}, {"advisory": "RHSA-2025:3069", "cpe": "cpe:/a:redhat:openshift_gitops:1.14::el8", "package": "openshift-gitops-dex-container-v1.14.3-4", "product_name": "Red Hat OpenShift GitOps 1.14", "release_date": "2025-03-20T00:00:00Z"}, {"advisory": "RHSA-2025:3069", "cpe": "cpe:/a:redhat:openshift_gitops:1.14::el8", "package": "openshift-gitops-kam-delivery-container-v1.14.3-4", "product_name": "Red Hat OpenShift GitOps 1.14", "release_date": "2025-03-20T00:00:00Z"}, {"advisory": "RHSA-2025:3069", "cpe": "cpe:/a:redhat:openshift_gitops:1.14::el8", "package": "openshift-gitops-must-gather-container-v1.14.3-4", "product_name": "Red Hat OpenShift GitOps 1.14", "release_date": "2025-03-20T00:00:00Z"}, {"advisory": "RHSA-2025:3069", "cpe": "cpe:/a:redhat:openshift_gitops:1.14::el8", "package": "openshift-gitops-operator-bundle-container-v1.14.3-4", "product_name": "Red Hat OpenShift GitOps 1.14", "release_date": "2025-03-20T00:00:00Z"}, {"advisory": "RHSA-2025:3069", "cpe": "cpe:/a:redhat:openshift_gitops:1.14::el8", "package": "openshift-gitops-operator-container-v1.14.3-4", "product_name": "Red Hat OpenShift GitOps 1.14", "release_date": "2025-03-20T00:00:00Z"}, {"advisory": "RHSA-2025:1888", "cpe": "cpe:/a:redhat:openshift_gitops:1.15::el8", "package": "openshift-gitops-1/argocd-extensions-rhel8:v1.15.1-7", "product_name": "Red Hat OpenShift GitOps 1.15", "release_date": "2025-02-26T00:00:00Z"}, {"advisory": "RHSA-2025:1888", "cpe": "cpe:/a:redhat:openshift_gitops:1.15::el8", "package": "openshift-gitops-1/argocd-rhel8:v1.15.1-7", "product_name": "Red Hat OpenShift GitOps 1.15", "release_date": "2025-02-26T00:00:00Z"}, {"advisory": "RHSA-2025:1888", "cpe": "cpe:/a:redhat:openshift_gitops:1.15::el8", "package": "openshift-gitops-1/argocd-rhel9:v1.15.1-1", "product_name": "Red Hat OpenShift GitOps 1.15", "release_date": "2025-02-26T00:00:00Z"}, {"advisory": "RHSA-2025:1888", "cpe": "cpe:/a:redhat:openshift_gitops:1.15::el8", "package": "openshift-gitops-1/argo-rollouts-rhel8:v1.15.1-7", "product_name": "Red Hat OpenShift GitOps 1.15", "release_date": "2025-02-26T00:00:00Z"}, {"advisory": "RHSA-2025:1888", "cpe": "cpe:/a:redhat:openshift_gitops:1.15::el8", "package": "openshift-gitops-1/console-plugin-rhel8:v1.15.1-7", "product_name": "Red Hat OpenShift GitOps 1.15", "release_date": "2025-02-26T00:00:00Z"}, {"advisory": "RHSA-2025:1888", "cpe": "cpe:/a:redhat:openshift_gitops:1.15::el8", "package": "openshift-gitops-1/dex-rhel8:v1.15.1-7", "product_name": "Red Hat OpenShift GitOps 1.15", "release_date": "2025-02-26T00:00:00Z"}, {"advisory": "RHSA-2025:1888", "cpe": "cpe:/a:redhat:openshift_gitops:1.15::el8", "package": "openshift-gitops-1/gitops-operator-bundle:v1.15.1-7", "product_name": "Red Hat OpenShift GitOps 1.15", "release_date": "2025-02-26T00:00:00Z"}, {"advisory": "RHSA-2025:1888", "cpe": "cpe:/a:redhat:openshift_gitops:1.15::el8", "package": "openshift-gitops-1/gitops-rhel8:v1.15.1-7", "product_name": "Red Hat OpenShift GitOps 1.15", "release_date": "2025-02-26T00:00:00Z"}, {"advisory": "RHSA-2025:1888", "cpe": "cpe:/a:redhat:openshift_gitops:1.15::el8", "package": "openshift-gitops-1/gitops-rhel8-operator:v1.15.1-7", "product_name": "Red Hat OpenShift GitOps 1.15", "release_date": "2025-02-26T00:00:00Z"}, {"advisory": "RHSA-2025:1888", "cpe": "cpe:/a:redhat:openshift_gitops:1.15::el8", "package": "openshift-gitops-1/must-gather-rhel8:v1.15.1-7", "product_name": "Red Hat OpenShift GitOps 1.15", "release_date": "2025-02-26T00:00:00Z"}, {"advisory": "RHSA-2025:1869", "cpe": "cpe:/a:redhat:openstack:16.2::el8", "package": "rhosp-rhel8/osp-director-agent:1.3.0-17", "product_name": "Red Hat OpenStack Platform 16.2", "release_date": "2025-02-26T00:00:00Z"}, {"advisory": "RHSA-2025:1869", "cpe": "cpe:/a:redhat:openstack:16.2::el8", "package": "rhosp-rhel8/osp-director-downloader:1.3.0-17", "product_name": "Red Hat OpenStack Platform 16.2", "release_date": "2025-02-26T00:00:00Z"}, {"advisory": "RHSA-2025:1869", "cpe": "cpe:/a:redhat:openstack:16.2::el8", "package": "rhosp-rhel8/osp-director-operator:1.3.0-15", "product_name": "Red Hat OpenStack Platform 16.2", "release_date": "2025-02-26T00:00:00Z"}, {"advisory": "RHSA-2025:1869", "cpe": "cpe:/a:redhat:openstack:16.2::el8", "package": "rhosp-rhel8/osp-director-operator-bundle:1.3.0-33", "product_name": "Red Hat OpenStack Platform 16.2", "release_date": "2025-02-26T00:00:00Z"}, {"advisory": "RHSA-2025:1870", "cpe": "cpe:/a:redhat:openstack:17.1::el9", "package": "rhosp-rhel9/osp-director-agent:1.3.1-20", "product_name": "Red Hat OpenStack Platform 17.1 for RHEL 9", "release_date": "2025-02-26T00:00:00Z"}, {"advisory": "RHSA-2025:1870", "cpe": "cpe:/a:redhat:openstack:17.1::el9", "package": "rhosp-rhel9/osp-director-downloader:1.3.1-18", "product_name": "Red Hat OpenStack Platform 17.1 for RHEL 9", "release_date": "2025-02-26T00:00:00Z"}, {"advisory": "RHSA-2025:1870", "cpe": "cpe:/a:redhat:openstack:17.1::el9", "package": "rhosp-rhel9/osp-director-operator:1.3.1-20", "product_name": "Red Hat OpenStack Platform 17.1 for RHEL 9", "release_date": "2025-02-26T00:00:00Z"}, {"advisory": "RHSA-2025:1870", "cpe": "cpe:/a:redhat:openstack:17.1::el9", "package": "rhosp-rhel9/osp-director-operator-bundle:1.3.1-41", "product_name": "Red Hat OpenStack Platform 17.1 for RHEL 9", "release_date": "2025-02-26T00:00:00Z"}, {"advisory": "RHSA-2025:0715", "cpe": "cpe:/a:redhat:openshift_builds:1.1::el9", "package": "registry.redhat.io/openshift-builds/openshift-builds-git-cloner-rhel9:sha256:a580ad568b67732135f47081d17e92f2848d571f934f31ab650984cc8eb3b0f4", "product_name": "Builds for Red Hat OpenShift 1.1.1", "release_date": "2025-01-27T00:00:00Z"}, {"advisory": "RHSA-2025:0754", "cpe": "cpe:/a:redhat:openshift_builds:1.2::el9", "package": "registry.redhat.io/openshift-builds/openshift-builds-git-cloner-rhel9:sha256:f99a08e2fc4b3d35af37d96da9c6d397ccd05cd3a03fcc588ed6a7e12a1d1575", "product_name": "Builds for Red Hat OpenShift 1.2.1", "release_date": "2025-01-28T00:00:00Z"}, {"advisory": "RHSA-2025:0444", "cpe": "cpe:/a:redhat:trusted_profile_analyzer:1.2::el9", "package": "registry.redhat.io/rhtpa/rhtpa-guac-rhel9:sha256:2dc71ee6e8c55a29b6dd68006c7d0365154d35c850021d8b4b77e24b4e8fd1a6", "product_name": "Red Hat Trusted Profile Analyzer 1.2", "release_date": "2025-01-20T00:00:00Z"}, {"advisory": "RHSA-2025:0445", "cpe": "cpe:/a:redhat:trusted_profile_analyzer:1.2::el9", "package": "registry.redhat.io/rhtpa/rhtpa-trustification-service-rhel9:sha256:eb2e0b1003ef77c39b28fe9fbe2ca8141aa72160bdcd7d55eddac2c16629d7c4", "product_name": "Red Hat Trusted Profile Analyzer 1.2", "release_date": "2025-01-20T00:00:00Z"}], "bugzilla": {"description": "go-git: argument injection via the URL field", "id": "2335888", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2335888"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.1", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "verified"}, "cwe": "CWE-88", "details": ["go-git is a highly extensible git implementation library written in pure Go. An argument injection vulnerability was discovered in go-git versions prior to v5.13. Successful exploitation of this vulnerability could allow an attacker to set arbitrary values to git-upload-pack flags. This only happens when the file transport protocol is being used, as that is the only protocol that shells out to git binaries. This vulnerability is fixed in 5.13.0.", "An argument injection vulnerability was found in go-git. This flaw allows an attacker to set arbitrary values to git-upload-pack flags, leading to command or code execution, exposure of sensitive data, or other unintended behavior. This is only possible in configurations where the file transport protocol is being used."], "mitigation": {"lang": "en:us", "value": "In cases where it is not possible to update to the latest version of go-git, it is recommended to enforce validation rules for values passed in the URL field."}, "name": "CVE-2025-21613", "package_state": [{"cpe": "cpe:/a:redhat:openshift_builds:1", "fix_state": "Affected", "package_name": "openshift-builds/openshift-builds-image-bundler-rhel9", "product_name": "Builds for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:openshift_api_data_protection:1", "fix_state": "Affected", "package_name": "oadp/oadp-mustgather-rhel8", "product_name": "OpenShift API for Data Protection"}, {"cpe": "cpe:/a:redhat:ocp_tools", "fix_state": "Affected", "package_name": "odo", "product_name": "OpenShift Developer Tools and Services"}, {"cpe": "cpe:/a:redhat:serverless:1", "fix_state": "Affected", "package_name": "openshift-serverless-1/client-kn-rhel8", "product_name": "OpenShift Serverless"}, {"cpe": "cpe:/a:redhat:serverless:1", "fix_state": "Affected", "package_name": "openshift-serverless-1-func-utils-rhel8-container", "product_name": "OpenShift Serverless"}, {"cpe": "cpe:/a:redhat:serverless:1", "fix_state": "Affected", "package_name": "openshift-serverless-1/kn-cli-artifacts-rhel8", "product_name": "OpenShift Serverless"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Affected", "package_name": "rhacm2/multicluster-operators-subscription-rhel8", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Affected", "package_name": "rhacm2/submariner-rhel8-operator", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:ceph_storage:7", "fix_state": "Affected", "package_name": "rhceph/grafana-rhel9", "product_name": "Red Hat Ceph Storage 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "grafana", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Affected", "package_name": "odh-data-science-pipelines-argo-argoexec-container", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Affected", "package_name": "odh-data-science-pipelines-argo-workflowcontroller-container", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Affected", "package_name": "rhoai/odh-data-science-pipelines-argo-argoexec-rhel8", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Affected", "package_name": "rhoai/odh-data-science-pipelines-argo-workflowcontroller-rhel8", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "cri-o", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift4/ose-ansible-operator", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift4/ose-cli", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift4/ose-cli-artifacts", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Will not fix", "package_name": "openshift4/ose-console", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift4/ose-deployer", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift4/ose-olm-rukpak-rhel8", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift4/ose-operator-framework-tools-rhel9", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift4/ose-operator-lifecycle-manager", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift4/ose-operator-registry-rhel9", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift4/ose-tools-rhel8", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift-clients", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "redhat/redhat-operator-index", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift_devspaces:3:", "fix_state": "Not affected", "package_name": "devspaces/devspaces-rhel8-operator", "product_name": "Red Hat OpenShift Dev Spaces"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:4", "fix_state": "Affected", "package_name": "container-native-virtualization/cluster-network-addons-operator", "product_name": "Red Hat OpenShift Virtualization 4"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:4", "fix_state": "Affected", "package_name": "container-native-virtualization/cluster-network-addons-operator-rhel9", "product_name": "Red Hat OpenShift Virtualization 4"}, {"cpe": "cpe:/a:redhat:openstack:16.2", "fix_state": "Affected", "package_name": "osp-director-provisioner-container", "product_name": "Red Hat OpenStack Platform 16.2"}], "public_date": "2025-01-06T16:13:10Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-21613\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-21613\nhttps://github.com/go-git/go-git/security/advisories/GHSA-v725-9546-7q7m"], "statement": "This vulnerability is rated as an Important severity because an argument injection has been discovered in go-git, where an attackers can manipulate git-upload-pack flags, potentially enabling command or code execution leads to an exposure of sensitive data or other unintended actions, this vulnerability occurs exclusively in configurations using the file transport protocol.", "threat_severity": "Important"}

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements Present

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object