High-Severity Vulnerability Detected by AWS Inspector - GHSA-r9px-m959-cxf4 - github.com/go-git/go-git/v5

[meraj-kashi]

Hi!

After upgrading to the latest Kosli CLI version (v2.11.6) in the Lambda reporter, AWS Inspector has detected the following high-severity security finding:

GHSA-r9px-m959-cxf4 - github.com/go-git/go-git/v5

Below is the provided description:

Impact A denial of service (DoS) vulnerability was discovered in go-git versions prior to `v5.13`. 

This vulnerability allows an attacker to perform denial of service attacks by providing specially crafted responses from a Git server which triggers resource exhaustion in `go-git` clients. This is a `go-git` implementation issue and does not affect the upstream `git` cli. ### Patches Users running versions of `go-git` from `v4` and above are recommended to upgrade to `v5.13` in order to mitigate this vulnerability. 

### Workarounds In cases where a bump to the latest version of `go-git` is not possible, we recommend limiting its use to only trust-worthy Git servers. ##

According to the description a bump to the latest version of go-git is not possible, so it is recommended limiting its use to only trust-worthy Git servers.

Is this fix applicable to your implementation, and can it be resolved in the next patch?

Thanks for your support and consideration.

[tooky]

Hi @meraj-kashi thanks for reporting this. I'm surprised that you are getting that message as the v2.11.6 is using github.com/go-git/go-git/v5 @ v5.13.1.

We will be upgrading to v5.13.2 in the next release.

[meraj-kashi]

Hi @tooky !
Thanks for your reply and cosndierations!