{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-21613", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-12-29T03:00:24.713Z", "datePublished": "2025-01-06T16:13:10.611Z", "dateUpdated": "2025-01-06T16:45:02.671Z"}, "containers": {"cna": {"title": "go-git has an Argument Injection via the URL field", "problemTypes": [{"descriptions": [{"cweId": "CWE-88", "lang": "en", "description": "CWE-88: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 9.2, "baseSeverity": "CRITICAL", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/U:Clear", "version": "4.0"}}], "references": [{"name": "https://github.com/go-git/go-git/security/advisories/GHSA-v725-9546-7q7m", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/go-git/go-git/security/advisories/GHSA-v725-9546-7q7m"}], "affected": [{"vendor": "go-git", "product": "go-git", "versions": [{"version": ">= 4.0.0, < 5.13.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-01-06T16:13:10.611Z"}, "descriptions": [{"lang": "en", "value": "go-git is a highly extensible git implementation library written in pure Go. An argument injection vulnerability was discovered in go-git versions prior to v5.13. Successful exploitation of this vulnerability could allow an attacker to set arbitrary values to git-upload-pack flags. This only happens when the file transport protocol is being used, as that is the only protocol that shells out to git binaries. This vulnerability is fixed in 5.13.0."}], "source": {"advisory": "GHSA-v725-9546-7q7m", "discovery": "UNKNOWN"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-88", "lang": "en", "description": "CWE-88 Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2025-01-06T16:38:34.120792Z", "id": "CVE-2025-21613", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-01-06T16:45:02.671Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-21613", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-01-06T16:38:34.120792Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-88", "description": "CWE-88 Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-01-06T16:44:56.937Z"}}], "cna": {"title": "go-git has an Argument Injection via the URL field", "source": {"advisory": "GHSA-v725-9546-7q7m", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 9.2, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/U:Clear", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "go-git", "product": "go-git", "versions": [{"status": "affected", "version": ">= 4.0.0, < 5.13.0"}]}], "references": [{"url": "https://github.com/go-git/go-git/security/advisories/GHSA-v725-9546-7q7m", "name": "https://github.com/go-git/go-git/security/advisories/GHSA-v725-9546-7q7m", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "go-git is a highly extensible git implementation library written in pure Go. An argument injection vulnerability was discovered in go-git versions prior to v5.13. Successful exploitation of this vulnerability could allow an attacker to set arbitrary values to git-upload-pack flags. This only happens when the file transport protocol is being used, as that is the only protocol that shells out to git binaries. This vulnerability is fixed in 5.13.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-88", "description": "CWE-88: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-01-06T16:13:10.611Z"}}}, "cveMetadata": {"cveId": "CVE-2025-21613", "state": "PUBLISHED", "dateUpdated": "2025-01-06T16:45:02.671Z", "dateReserved": "2024-12-29T03:00:24.713Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2025-01-06T16:13:10.611Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:go-git_project:go-git:*:*:*:*:*:go:*:*", "matchCriteriaId": "77FFEE6C-CE0C-435F-9466-13BC2B95D09E", "versionEndExcluding": "5.13.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "go-git is a highly extensible git implementation library written in pure Go. An argument injection vulnerability was discovered in go-git versions prior to v5.13. Successful exploitation of this vulnerability could allow an attacker to set arbitrary values to git-upload-pack flags. This only happens when the file transport protocol is being used, as that is the only protocol that shells out to git binaries. This vulnerability is fixed in 5.13.0."}, {"lang": "es", "value": "Go-git es una librer\u00eda de implementaci\u00f3n de Git altamente extensible escrita en Go puro. Se descubri\u00f3 una vulnerabilidad de inyecci\u00f3n de argumentos en versiones de Go-git anteriores a la v5.13. La explotaci\u00f3n exitosa de esta vulnerabilidad podr\u00eda permitir a un atacante establecer valores arbitrarios para los indicadores git-upload-pack. Esto solo sucede cuando se utiliza el protocolo de transporte de archivos, ya que es el \u00fanico protocolo que realiza transferencias a binarios de Git. Esta vulnerabilidad se corrigi\u00f3 en la versi\u00f3n 5.13.0."}], "id": "CVE-2025-21613", "lastModified": "2025-04-17T02:33:57.140", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 9.2, "baseSeverity": "CRITICAL", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "CLEAR", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Clear", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2025-01-06T17:15:47.043", "references": [{"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/go-git/go-git/security/advisories/GHSA-v725-9546-7q7m"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-88"}], "source": "security-advisories@github.com", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-88"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2025:1468", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.4::el8", "package": "advanced-cluster-security/rhacs-main-rhel8:4.4.8-2", "product_name": "Red Hat Advanced Cluster Security 4.4", "release_date": "2025-02-13T00:00:00Z"}, {"advisory": "RHSA-2025:1468", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.4::el8", "package": "advanced-cluster-security/rhacs-rhel8-operator:4.4.8-2", "product_name": "Red Hat Advanced Cluster Security 4.4", "release_date": "2025-02-13T00:00:00Z"}, {"advisory": "RHSA-2025:1468", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.4::el8", "package": "advanced-cluster-security/rhacs-roxctl-rhel8:4.4.8-2", "product_name": "Red Hat Advanced Cluster Security 4.4", "release_date": "2025-02-13T00:00:00Z"}, {"advisory": "RHSA-2025:1334", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.5::el8", "package": "advanced-cluster-security/rhacs-main-rhel8:4.5.6-2", "product_name": "Red Hat Advanced Cluster Security 4.5", "release_date": "2025-02-11T00:00:00Z"}, {"advisory": "RHSA-2025:1334", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.5::el8", "package": "advanced-cluster-security/rhacs-rhel8-operator:4.5.6-2", "product_name": "Red Hat Advanced Cluster Security 4.5", "release_date": "2025-02-11T00:00:00Z"}, {"advisory": "RHSA-2025:1334", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.5::el8", "package": "advanced-cluster-security/rhacs-roxctl-rhel8:4.5.6-2", "product_name": "Red Hat Advanced Cluster Security 4.5", "release_date": "2025-02-11T00:00:00Z"}, {"advisory": "RHSA-2025:1334", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.5::el8", "package": "advanced-cluster-security/rhacs-scanner-rhel8:4.5.6-2", "product_name": "Red Hat Advanced Cluster Security 4.5", "release_date": "2025-02-11T00:00:00Z"}, {"advisory": "RHSA-2025:1334", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.5::el8", "package": "advanced-cluster-security/rhacs-scanner-slim-rhel8:4.5.6-2", "product_name": "Red Hat Advanced Cluster Security 4.5", "release_date": "2025-02-11T00:00:00Z"}, {"advisory": "RHSA-2025:1334", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.5::el8", "package": "advanced-cluster-security/rhacs-scanner-v4-db-rhel8:4.5.6-1", "product_name": "Red Hat Advanced Cluster Security 4.5", "release_date": "2025-02-11T00:00:00Z"}, {"advisory": "RHSA-2025:1334", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.5::el8", "package": "advanced-cluster-security/rhacs-scanner-v4-rhel8:4.5.6-2", "product_name": "Red Hat Advanced Cluster Security 4.5", "release_date": "2025-02-11T00:00:00Z"}, {"advisory": "RHSA-2025:0907", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.6::el8", "package": "advanced-cluster-security/rhacs-central-db-rhel8:4.6.2-2", "product_name": "Red Hat Advanced Cluster Security 4.6", "release_date": "2025-02-03T00:00:00Z"}, {"advisory": "RHSA-2025:0907", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.6::el8", "package": "advanced-cluster-security/rhacs-collector-rhel8:4.6.2-2", "product_name": "Red Hat Advanced Cluster Security 4.6", "release_date": "2025-02-03T00:00:00Z"}, {"advisory": "RHSA-2025:0907", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.6::el8", "package": "advanced-cluster-security/rhacs-collector-slim-rhel8:4.6.2-2", "product_name": "Red Hat Advanced Cluster Security 4.6", "release_date": "2025-02-03T00:00:00Z"}, {"advisory": "RHSA-2025:0907", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.6::el8", "package": "advanced-cluster-security/rhacs-main-rhel8:4.6.2-2", "product_name": "Red Hat Advanced Cluster Security 4.6", "release_date": "2025-02-03T00:00:00Z"}, {"advisory": "RHSA-2025:0907", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.6::el8", "package": "advanced-cluster-security/rhacs-operator-bundle:4.6.2-2", "product_name": "Red Hat Advanced Cluster Security 4.6", "release_date": "2025-02-03T00:00:00Z"}, {"advisory": "RHSA-2025:0907", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.6::el8", "package": "advanced-cluster-security/rhacs-rhel8-operator:4.6.2-2", "product_name": "Red Hat Advanced Cluster Security 4.6", "release_date": "2025-02-03T00:00:00Z"}, {"advisory": "RHSA-2025:0907", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.6::el8", "package": "advanced-cluster-security/rhacs-roxctl-rhel8:4.6.2-2", "product_name": "Red Hat Advanced Cluster Security 4.6", "release_date": "2025-02-03T00:00:00Z"}, {"advisory": "RHSA-2025:0907", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.6::el8", "package": "advanced-cluster-security/rhacs-scanner-db-rhel8:4.6.2-2", "product_name": "Red Hat Advanced Cluster Security 4.6", "release_date": "2025-02-03T00:00:00Z"}, {"advisory": "RHSA-2025:0907", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.6::el8", "package": "advanced-cluster-security/rhacs-scanner-db-slim-rhel8:4.6.2-2", "product_name": "Red Hat Advanced Cluster Security 4.6", "release_date": "2025-02-03T00:00:00Z"}, {"advisory": "RHSA-2025:0907", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.6::el8", "package": "advanced-cluster-security/rhacs-scanner-rhel8:4.6.2-2", "product_name": "Red Hat Advanced Cluster Security 4.6", "release_date": "2025-02-03T00:00:00Z"}, {"advisory": "RHSA-2025:0907", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.6::el8", "package": "advanced-cluster-security/rhacs-scanner-slim-rhel8:4.6.2-2", "product_name": "Red Hat Advanced Cluster Security 4.6", "release_date": "2025-02-03T00:00:00Z"}, {"advisory": "RHSA-2025:0907", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.6::el8", "package": "advanced-cluster-security/rhacs-scanner-v4-db-rhel8:4.6.2-2", "product_name": "Red Hat Advanced Cluster Security 4.6", "release_date": "2025-02-03T00:00:00Z"}, {"advisory": "RHSA-2025:0907", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.6::el8", "package": "advanced-cluster-security/rhacs-scanner-v4-rhel8:4.6.2-2", "product_name": "Red Hat Advanced Cluster Security 4.6", "release_date": "2025-02-03T00:00:00Z"}, {"advisory": "RHSA-2025:0401", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "grafana-0:9.2.10-21.el8_10", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2025-01-20T00:00:00Z"}, {"advisory": "RHSA-2025:0662", "cpe": "cpe:/a:redhat:rhel_eus:9.4", "package": "grafana-0:9.2.10-21.el9_4", "product_name": "Red Hat Enterprise Linux 9.4 Extended Update Support", "release_date": "2025-01-23T00:00:00Z"}, {"advisory": "RHSA-2025:1704", "cpe": "cpe:/a:redhat:openshift:4.16::el9", "package": "openshift4/ose-helm-rhel9-operator:v4.16.0-202502130836.p0.g26e182e.assembly.stream.el9", "product_name": "Red Hat OpenShift Container Platform 4.16", "release_date": "2025-02-27T00:00:00Z"}, {"advisory": "RHSA-2025:1704", "cpe": "cpe:/a:redhat:openshift:4.16::el9", "package": "openshift4/ose-operator-sdk-rhel9:v4.16.0-202502190034.p0.g26e182e.assembly.stream.el9", "product_name": "Red Hat OpenShift Container Platform 4.16", "release_date": "2025-02-27T00:00:00Z"}, {"advisory": "RHSA-2025:0654", "cpe": "cpe:/a:redhat:openshift:4.17::el9", "package": "openshift4/oc-mirror-plugin-rhel9:v4.17.0-202501221434.p0.g39bedc7.assembly.stream.el9", "product_name": "Red Hat OpenShift Container Platform 4.17", "release_date": "2025-01-28T00:00:00Z"}, {"advisory": "RHSA-2025:1119", "cpe": "cpe:/a:redhat:openshift:4.17::el9", "package": "openshift4/ose-helm-rhel9-operator:v4.17.0-202502051104.p0.g61a705e.assembly.stream.el9", "product_name": "Red Hat OpenShift Container Platform 4.17", "release_date": "2025-02-11T00:00:00Z"}, {"advisory": "RHSA-2025:1119", "cpe": "cpe:/a:redhat:openshift:4.17::el9", "package": "openshift4/ose-operator-sdk-rhel9:v4.17.0-202502051104.p0.g61a705e.assembly.stream.el9", "product_name": "Red Hat OpenShift Container Platform 4.17", "release_date": "2025-02-11T00:00:00Z"}, {"advisory": "RHSA-2024:6122", "cpe": "cpe:/a:redhat:openshift:4.18::el9", "package": "openshift4/oc-mirror-plugin-rhel9:v4.18.0-202502100934.p0.gc00c7c9.assembly.stream.el9", "product_name": "Red Hat OpenShift Container Platform 4.18", "release_date": "2025-02-25T00:00:00Z"}, {"advisory": "RHSA-2024:6122", "cpe": "cpe:/a:redhat:openshift:4.18::el9", "package": "openshift4/ose-olm-catalogd-rhel9:v4.18.0-202502052031.p0.gf95a88f.assembly.stream.el9", "product_name": "Red Hat OpenShift Container Platform 4.18", "release_date": "2025-02-25T00:00:00Z"}, {"advisory": "RHSA-2024:6122", "cpe": "cpe:/a:redhat:openshift:4.18::el9", "package": "openshift4/ose-olm-operator-controller-rhel9:v4.18.0-202502051931.p0.g74a2477.assembly.stream.el9", "product_name": "Red Hat OpenShift Container Platform 4.18", "release_date": "2025-02-25T00:00:00Z"}, {"advisory": "RHSA-2025:3069", "cpe": "cpe:/a:redhat:openshift_gitops:1.14::el8", "package": "openshift-gitops-argocd-container-v1.14.3-4", "product_name": "Red Hat OpenShift GitOps 1.14", "release_date": "2025-03-20T00:00:00Z"}, {"advisory": "RHSA-2025:3069", "cpe": "cpe:/a:redhat:openshift_gitops:1.14::el8", "package": "openshift-gitops-argocd-rhel9-container-v1.14.3-1", "product_name": "Red Hat OpenShift GitOps 1.14", "release_date": "2025-03-20T00:00:00Z"}, {"advisory": "RHSA-2025:3069", "cpe": "cpe:/a:redhat:openshift_gitops:1.14::el8", "package": "openshift-gitops-argo-rollouts-container-v1.14.3-4", "product_name": "Red Hat OpenShift GitOps 1.14", "release_date": "2025-03-20T00:00:00Z"}, {"advisory": "RHSA-2025:3069", "cpe": "cpe:/a:redhat:openshift_gitops:1.14::el8", "package": "openshift-gitops-console-plugin-container-v1.14.3-4", "product_name": "Red Hat OpenShift GitOps 1.14", "release_date": "2025-03-20T00:00:00Z"}, {"advisory": "RHSA-2025:3069", "cpe": "cpe:/a:redhat:openshift_gitops:1.14::el8", "package": "openshift-gitops-container-v1.14.3-4", "product_name": "Red Hat OpenShift GitOps 1.14", "release_date": "2025-03-20T00:00:00Z"}, {"advisory": "RHSA-2025:3069", "cpe": "cpe:/a:redhat:openshift_gitops:1.14::el8", "package": "openshift-gitops-dex-container-v1.14.3-4", "product_name": "Red Hat OpenShift GitOps 1.14", "release_date": "2025-03-20T00:00:00Z"}, {"advisory": "RHSA-2025:3069", "cpe": "cpe:/a:redhat:openshift_gitops:1.14::el8", "package": "openshift-gitops-kam-delivery-container-v1.14.3-4", "product_name": "Red Hat OpenShift GitOps 1.14", "release_date": "2025-03-20T00:00:00Z"}, {"advisory": "RHSA-2025:3069", "cpe": "cpe:/a:redhat:openshift_gitops:1.14::el8", "package": "openshift-gitops-must-gather-container-v1.14.3-4", "product_name": "Red Hat OpenShift GitOps 1.14", "release_date": "2025-03-20T00:00:00Z"}, {"advisory": "RHSA-2025:3069", "cpe": "cpe:/a:redhat:openshift_gitops:1.14::el8", "package": "openshift-gitops-operator-bundle-container-v1.14.3-4", "product_name": "Red Hat OpenShift GitOps 1.14", "release_date": "2025-03-20T00:00:00Z"}, {"advisory": "RHSA-2025:3069", "cpe": "cpe:/a:redhat:openshift_gitops:1.14::el8", "package": "openshift-gitops-operator-container-v1.14.3-4", "product_name": "Red Hat OpenShift GitOps 1.14", "release_date": "2025-03-20T00:00:00Z"}, {"advisory": "RHSA-2025:1888", "cpe": "cpe:/a:redhat:openshift_gitops:1.15::el8", "package": "openshift-gitops-1/argocd-extensions-rhel8:v1.15.1-7", "product_name": "Red Hat OpenShift GitOps 1.15", "release_date": "2025-02-26T00:00:00Z"}, {"advisory": "RHSA-2025:1888", "cpe": "cpe:/a:redhat:openshift_gitops:1.15::el8", "package": "openshift-gitops-1/argocd-rhel8:v1.15.1-7", "product_name": "Red Hat OpenShift GitOps 1.15", "release_date": "2025-02-26T00:00:00Z"}, {"advisory": "RHSA-2025:1888", "cpe": "cpe:/a:redhat:openshift_gitops:1.15::el8", "package": "openshift-gitops-1/argocd-rhel9:v1.15.1-1", "product_name": "Red Hat OpenShift GitOps 1.15", "release_date": "2025-02-26T00:00:00Z"}, {"advisory": "RHSA-2025:1888", "cpe": "cpe:/a:redhat:openshift_gitops:1.15::el8", "package": "openshift-gitops-1/argo-rollouts-rhel8:v1.15.1-7", "product_name": "Red Hat OpenShift GitOps 1.15", "release_date": "2025-02-26T00:00:00Z"}, {"advisory": "RHSA-2025:1888", "cpe": "cpe:/a:redhat:openshift_gitops:1.15::el8", "package": "openshift-gitops-1/console-plugin-rhel8:v1.15.1-7", "product_name": "Red Hat OpenShift GitOps 1.15", "release_date": "2025-02-26T00:00:00Z"}, {"advisory": "RHSA-2025:1888", "cpe": "cpe:/a:redhat:openshift_gitops:1.15::el8", "package": "openshift-gitops-1/dex-rhel8:v1.15.1-7", "product_name": "Red Hat OpenShift GitOps 1.15", "release_date": "2025-02-26T00:00:00Z"}, {"advisory": "RHSA-2025:1888", "cpe": "cpe:/a:redhat:openshift_gitops:1.15::el8", "package": "openshift-gitops-1/gitops-operator-bundle:v1.15.1-7", "product_name": "Red Hat OpenShift GitOps 1.15", "release_date": "2025-02-26T00:00:00Z"}, {"advisory": "RHSA-2025:1888", "cpe": "cpe:/a:redhat:openshift_gitops:1.15::el8", "package": "openshift-gitops-1/gitops-rhel8:v1.15.1-7", "product_name": "Red Hat OpenShift GitOps 1.15", "release_date": "2025-02-26T00:00:00Z"}, {"advisory": "RHSA-2025:1888", "cpe": "cpe:/a:redhat:openshift_gitops:1.15::el8", "package": "openshift-gitops-1/gitops-rhel8-operator:v1.15.1-7", "product_name": "Red Hat OpenShift GitOps 1.15", "release_date": "2025-02-26T00:00:00Z"}, {"advisory": "RHSA-2025:1888", "cpe": "cpe:/a:redhat:openshift_gitops:1.15::el8", "package": "openshift-gitops-1/must-gather-rhel8:v1.15.1-7", "product_name": "Red Hat OpenShift GitOps 1.15", "release_date": "2025-02-26T00:00:00Z"}, {"advisory": "RHSA-2025:1869", "cpe": "cpe:/a:redhat:openstack:16.2::el8", "package": "rhosp-rhel8/osp-director-agent:1.3.0-17", "product_name": "Red Hat OpenStack Platform 16.2", "release_date": "2025-02-26T00:00:00Z"}, {"advisory": "RHSA-2025:1869", "cpe": "cpe:/a:redhat:openstack:16.2::el8", "package": "rhosp-rhel8/osp-director-downloader:1.3.0-17", "product_name": "Red Hat OpenStack Platform 16.2", "release_date": "2025-02-26T00:00:00Z"}, {"advisory": "RHSA-2025:1869", "cpe": "cpe:/a:redhat:openstack:16.2::el8", "package": "rhosp-rhel8/osp-director-operator:1.3.0-15", "product_name": "Red Hat OpenStack Platform 16.2", "release_date": "2025-02-26T00:00:00Z"}, {"advisory": "RHSA-2025:1869", "cpe": "cpe:/a:redhat:openstack:16.2::el8", "package": "rhosp-rhel8/osp-director-operator-bundle:1.3.0-33", "product_name": "Red Hat OpenStack Platform 16.2", "release_date": "2025-02-26T00:00:00Z"}, {"advisory": "RHSA-2025:1870", "cpe": "cpe:/a:redhat:openstack:17.1::el9", "package": "rhosp-rhel9/osp-director-agent:1.3.1-20", "product_name": "Red Hat OpenStack Platform 17.1 for RHEL 9", "release_date": "2025-02-26T00:00:00Z"}, {"advisory": "RHSA-2025:1870", "cpe": "cpe:/a:redhat:openstack:17.1::el9", "package": "rhosp-rhel9/osp-director-downloader:1.3.1-18", "product_name": "Red Hat OpenStack Platform 17.1 for RHEL 9", "release_date": "2025-02-26T00:00:00Z"}, {"advisory": "RHSA-2025:1870", "cpe": "cpe:/a:redhat:openstack:17.1::el9", "package": "rhosp-rhel9/osp-director-operator:1.3.1-20", "product_name": "Red Hat OpenStack Platform 17.1 for RHEL 9", "release_date": "2025-02-26T00:00:00Z"}, {"advisory": "RHSA-2025:1870", "cpe": "cpe:/a:redhat:openstack:17.1::el9", "package": "rhosp-rhel9/osp-director-operator-bundle:1.3.1-41", "product_name": "Red Hat OpenStack Platform 17.1 for RHEL 9", "release_date": "2025-02-26T00:00:00Z"}, {"advisory": "RHSA-2025:0715", "cpe": "cpe:/a:redhat:openshift_builds:1.1::el9", "package": "registry.redhat.io/openshift-builds/openshift-builds-git-cloner-rhel9:sha256:a580ad568b67732135f47081d17e92f2848d571f934f31ab650984cc8eb3b0f4", "product_name": "Builds for Red Hat OpenShift 1.1.1", "release_date": "2025-01-27T00:00:00Z"}, {"advisory": "RHSA-2025:0754", "cpe": "cpe:/a:redhat:openshift_builds:1.2::el9", "package": "registry.redhat.io/openshift-builds/openshift-builds-git-cloner-rhel9:sha256:f99a08e2fc4b3d35af37d96da9c6d397ccd05cd3a03fcc588ed6a7e12a1d1575", "product_name": "Builds for Red Hat OpenShift 1.2.1", "release_date": "2025-01-28T00:00:00Z"}, {"advisory": "RHSA-2025:0444", "cpe": "cpe:/a:redhat:trusted_profile_analyzer:1.2::el9", "package": "registry.redhat.io/rhtpa/rhtpa-guac-rhel9:sha256:2dc71ee6e8c55a29b6dd68006c7d0365154d35c850021d8b4b77e24b4e8fd1a6", "product_name": "Red Hat Trusted Profile Analyzer 1.2", "release_date": "2025-01-20T00:00:00Z"}, {"advisory": "RHSA-2025:0445", "cpe": "cpe:/a:redhat:trusted_profile_analyzer:1.2::el9", "package": "registry.redhat.io/rhtpa/rhtpa-trustification-service-rhel9:sha256:eb2e0b1003ef77c39b28fe9fbe2ca8141aa72160bdcd7d55eddac2c16629d7c4", "product_name": "Red Hat Trusted Profile Analyzer 1.2", "release_date": "2025-01-20T00:00:00Z"}], "bugzilla": {"description": "go-git: argument injection via the URL field", "id": "2335888", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2335888"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.1", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "verified"}, "cwe": "CWE-88", "details": ["go-git is a highly extensible git implementation library written in pure Go. An argument injection vulnerability was discovered in go-git versions prior to v5.13. Successful exploitation of this vulnerability could allow an attacker to set arbitrary values to git-upload-pack flags. This only happens when the file transport protocol is being used, as that is the only protocol that shells out to git binaries. This vulnerability is fixed in 5.13.0.", "An argument injection vulnerability was found in go-git. This flaw allows an attacker to set arbitrary values to git-upload-pack flags, leading to command or code execution, exposure of sensitive data, or other unintended behavior. This is only possible in configurations where the file transport protocol is being used."], "mitigation": {"lang": "en:us", "value": "In cases where it is not possible to update to the latest version of go-git, it is recommended to enforce validation rules for values passed in the URL field."}, "name": "CVE-2025-21613", "package_state": [{"cpe": "cpe:/a:redhat:openshift_builds:1", "fix_state": "Affected", "package_name": "openshift-builds/openshift-builds-image-bundler-rhel9", "product_name": "Builds for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:openshift_api_data_protection:1", "fix_state": "Affected", "package_name": "oadp/oadp-mustgather-rhel8", "product_name": "OpenShift API for Data Protection"}, {"cpe": "cpe:/a:redhat:ocp_tools", "fix_state": "Affected", "package_name": "odo", "product_name": "OpenShift Developer Tools and Services"}, {"cpe": "cpe:/a:redhat:serverless:1", "fix_state": "Affected", "package_name": "openshift-serverless-1/client-kn-rhel8", "product_name": "OpenShift Serverless"}, {"cpe": "cpe:/a:redhat:serverless:1", "fix_state": "Affected", "package_name": "openshift-serverless-1-func-utils-rhel8-container", "product_name": "OpenShift Serverless"}, {"cpe": "cpe:/a:redhat:serverless:1", "fix_state": "Affected", "package_name": "openshift-serverless-1/kn-cli-artifacts-rhel8", "product_name": "OpenShift Serverless"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Affected", "package_name": "rhacm2/multicluster-operators-subscription-rhel8", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Affected", "package_name": "rhacm2/submariner-rhel8-operator", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:ceph_storage:7", "fix_state": "Affected", "package_name": "rhceph/grafana-rhel9", "product_name": "Red Hat Ceph Storage 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "grafana", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Affected", "package_name": "odh-data-science-pipelines-argo-argoexec-container", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Affected", "package_name": "odh-data-science-pipelines-argo-workflowcontroller-container", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Affected", "package_name": "rhoai/odh-data-science-pipelines-argo-argoexec-rhel8", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Affected", "package_name": "rhoai/odh-data-science-pipelines-argo-workflowcontroller-rhel8", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "cri-o", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift4/ose-ansible-operator", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift4/ose-cli", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift4/ose-cli-artifacts", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Will not fix", "package_name": "openshift4/ose-console", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift4/ose-deployer", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift4/ose-olm-rukpak-rhel8", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift4/ose-operator-framework-tools-rhel9", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift4/ose-operator-lifecycle-manager", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift4/ose-operator-registry-rhel9", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift4/ose-tools-rhel8", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift-clients", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "redhat/redhat-operator-index", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift_devspaces:3:", "fix_state": "Not affected", "package_name": "devspaces/devspaces-rhel8-operator", "product_name": "Red Hat OpenShift Dev Spaces"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:4", "fix_state": "Affected", "package_name": "container-native-virtualization/cluster-network-addons-operator", "product_name": "Red Hat OpenShift Virtualization 4"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:4", "fix_state": "Affected", "package_name": "container-native-virtualization/cluster-network-addons-operator-rhel9", "product_name": "Red Hat OpenShift Virtualization 4"}, {"cpe": "cpe:/a:redhat:openstack:16.2", "fix_state": "Affected", "package_name": "osp-director-provisioner-container", "product_name": "Red Hat OpenStack Platform 16.2"}], "public_date": "2025-01-06T16:13:10Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-21613\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-21613\nhttps://github.com/go-git/go-git/security/advisories/GHSA-v725-9546-7q7m"], "statement": "This vulnerability is rated as an Important severity because an argument injection has been discovered in go-git, where an attackers can manipulate git-upload-pack flags, potentially enabling command or code execution leads to an exposure of sensitive data or other unintended actions, this vulnerability occurs exclusively in configurations using the file transport protocol.", "threat_severity": "Important"}