Django REST framework

Vulnerability Instance

Lookup for vulnerabilities affecting packages.

Vulnerability_idVCID-rka6-epua-h7gz
Summary
Maliciously crafted Git server replies can lead to path traversal and RCE on go-git clients
### Impact
A path traversal vulnerability was discovered in go-git versions prior to `v5.11`. This vulnerability allows an attacker to create and amend files across the filesystem. In the worse case scenario, remote code execution could be achieved.

Applications are only affected if they are using the [ChrootOS](https://pkg.go.dev/github.com/go-git/go-billy/v5/osfs#ChrootOS), which is the default when using "Plain" versions of Open and Clone funcs (e.g. PlainClone). Applications using [BoundOS](https://pkg.go.dev/github.com/go-git/go-billy/v5/osfs#BoundOS) or in-memory filesystems are not affected by this issue.
This is a `go-git` implementation issue and does not affect the upstream `git` cli.

### Patches
Users running versions of `go-git` from `v4` and above are recommended to upgrade to `v5.11` in order to mitigate this vulnerability.

### Workarounds
In cases where a bump to the latest version of `go-git` is not possible in a timely manner, we recommend limiting its use to only trust-worthy Git servers.

## Credit
Thanks to Ionut Lalu for responsibly disclosing this vulnerability to us.
Aliases
0
alias CVE-2023-49569
1
alias GHSA-449p-3h89-pw88
Fixed_packages
0
url pkg:deb/debian/golang-github-go-git-go-git@5.11.0-1?distro=trixie
purl pkg:deb/debian/golang-github-go-git-go-git@5.11.0-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/golang-github-go-git-go-git@5.11.0-1%3Fdistro=trixie
1
url pkg:deb/debian/golang-github-go-git-go-git@5.14.0-1
purl pkg:deb/debian/golang-github-go-git-go-git@5.14.0-1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-62r9-cvp9-tfbg
1
vulnerability VCID-kqrm-h42a-13ce
2
vulnerability VCID-m4t6-vddc-3bfw
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/golang-github-go-git-go-git@5.14.0-1
2
url pkg:deb/debian/golang-github-go-git-go-git@5.14.0-1?distro=trixie
purl pkg:deb/debian/golang-github-go-git-go-git@5.14.0-1?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-62r9-cvp9-tfbg
1
vulnerability VCID-kqrm-h42a-13ce
2
vulnerability VCID-m4t6-vddc-3bfw
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/golang-github-go-git-go-git@5.14.0-1%3Fdistro=trixie
3
url pkg:deb/debian/golang-github-go-git-go-git@5.17.0-1?distro=trixie
purl pkg:deb/debian/golang-github-go-git-go-git@5.17.0-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/golang-github-go-git-go-git@5.17.0-1%3Fdistro=trixie
4
url pkg:deb/debian/golang-github-go-git-go-git@5.17.1-1?distro=trixie
purl pkg:deb/debian/golang-github-go-git-go-git@5.17.1-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/golang-github-go-git-go-git@5.17.1-1%3Fdistro=trixie
5
url pkg:golang/github.com/go-git/go-git/v5@5.11.0
purl pkg:golang/github.com/go-git/go-git/v5@5.11.0
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:golang/github.com/go-git/go-git/v5@5.11.0
Affected_packages
0
url pkg:deb/debian/golang-github-go-git-go-git@5.4.2-3
purl pkg:deb/debian/golang-github-go-git-go-git@5.4.2-3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-62r9-cvp9-tfbg
1
vulnerability VCID-6smu-rrju-z7ca
2
vulnerability VCID-c5e4-td2w-37by
3
vulnerability VCID-j8jp-r751-sbf8
4
vulnerability VCID-kqrm-h42a-13ce
5
vulnerability VCID-m4t6-vddc-3bfw
6
vulnerability VCID-rka6-epua-h7gz
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/golang-github-go-git-go-git@5.4.2-3
1
url pkg:deb/debian/golang-github-go-git-go-git@5.4.2-3?distro=trixie
purl pkg:deb/debian/golang-github-go-git-go-git@5.4.2-3?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-62r9-cvp9-tfbg
1
vulnerability VCID-6smu-rrju-z7ca
2
vulnerability VCID-c5e4-td2w-37by
3
vulnerability VCID-j8jp-r751-sbf8
4
vulnerability VCID-kqrm-h42a-13ce
5
vulnerability VCID-m4t6-vddc-3bfw
6
vulnerability VCID-rka6-epua-h7gz
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/golang-github-go-git-go-git@5.4.2-3%3Fdistro=trixie
2
url pkg:rpm/redhat/ceph@2:16.2.10-266?arch=el8cp
purl pkg:rpm/redhat/ceph@2:16.2.10-266?arch=el8cp
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-h7qt-3g1f-5ffr
1
vulnerability VCID-j28b-6m1n-2bdk
2
vulnerability VCID-rka6-epua-h7gz
resource_url http://public2.vulnerablecode.io/packages/pkg:rpm/redhat/ceph@2:16.2.10-266%3Farch=el8cp
3
url pkg:rpm/redhat/ceph@2:18.2.1-194?arch=el8cp
purl pkg:rpm/redhat/ceph@2:18.2.1-194?arch=el8cp
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-6smu-rrju-z7ca
1
vulnerability VCID-pv34-th9b-37h6
2
vulnerability VCID-rka6-epua-h7gz
3
vulnerability VCID-z7wb-tvk2-myhr
resource_url http://public2.vulnerablecode.io/packages/pkg:rpm/redhat/ceph@2:18.2.1-194%3Farch=el8cp
4
url pkg:rpm/redhat/ceph-ansible@6.0.28.8-1?arch=el8cp
purl pkg:rpm/redhat/ceph-ansible@6.0.28.8-1?arch=el8cp
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-h7qt-3g1f-5ffr
1
vulnerability VCID-j28b-6m1n-2bdk
2
vulnerability VCID-rka6-epua-h7gz
resource_url http://public2.vulnerablecode.io/packages/pkg:rpm/redhat/ceph-ansible@6.0.28.8-1%3Farch=el8cp
5
url pkg:rpm/redhat/openshift-serverless-clients@1.10.0-6?arch=el8
purl pkg:rpm/redhat/openshift-serverless-clients@1.10.0-6?arch=el8
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-5eck-adts-e3de
1
vulnerability VCID-6smu-rrju-z7ca
2
vulnerability VCID-jzn6-bzzf-nugp
3
vulnerability VCID-rka6-epua-h7gz
resource_url http://public2.vulnerablecode.io/packages/pkg:rpm/redhat/openshift-serverless-clients@1.10.0-6%3Farch=el8
References
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-49569.json
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-49569.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2023-49569
reference_id
reference_type
scores
0
value 0.04027
scoring_system epss
scoring_elements 0.88494
published_at 2026-04-21T12:55:00Z
1
value 0.04027
scoring_system epss
scoring_elements 0.88457
published_at 2026-04-07T12:55:00Z
2
value 0.04027
scoring_system epss
scoring_elements 0.88476
published_at 2026-04-08T12:55:00Z
3
value 0.04027
scoring_system epss
scoring_elements 0.88482
published_at 2026-04-09T12:55:00Z
4
value 0.04027
scoring_system epss
scoring_elements 0.88492
published_at 2026-04-11T12:55:00Z
5
value 0.04027
scoring_system epss
scoring_elements 0.88485
published_at 2026-04-12T12:55:00Z
6
value 0.04027
scoring_system epss
scoring_elements 0.88484
published_at 2026-04-13T12:55:00Z
7
value 0.04027
scoring_system epss
scoring_elements 0.88499
published_at 2026-04-16T12:55:00Z
8
value 0.04027
scoring_system epss
scoring_elements 0.88496
published_at 2026-04-18T12:55:00Z
9
value 0.04027
scoring_system epss
scoring_elements 0.88453
published_at 2026-04-04T12:55:00Z
10
value 0.04134
scoring_system epss
scoring_elements 0.88604
published_at 2026-04-02T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2023-49569
2
reference_url https://github.com/go-git/go-git
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/go-git/go-git
3
reference_url https://github.com/go-git/go-git/security/advisories/GHSA-449p-3h89-pw88
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2024-01-18T19:36:00Z/
url https://github.com/go-git/go-git/security/advisories/GHSA-449p-3h89-pw88
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-49569
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2023-49569
5
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1060701
reference_id 1060701
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1060701
6
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2258143
reference_id 2258143
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2258143
7
reference_url https://access.redhat.com/errata/RHSA-2023:7197
reference_id RHSA-2023:7197
reference_type
scores
url https://access.redhat.com/errata/RHSA-2023:7197
8
reference_url https://access.redhat.com/errata/RHSA-2023:7198
reference_id RHSA-2023:7198
reference_type
scores
url https://access.redhat.com/errata/RHSA-2023:7198
9
reference_url https://access.redhat.com/errata/RHSA-2024:0040
reference_id RHSA-2024:0040
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:0040
10
reference_url https://access.redhat.com/errata/RHSA-2024:0298
reference_id RHSA-2024:0298
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:0298
11
reference_url https://access.redhat.com/errata/RHSA-2024:0641
reference_id RHSA-2024:0641
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:0641
12
reference_url https://access.redhat.com/errata/RHSA-2024:0642
reference_id RHSA-2024:0642
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:0642
13
reference_url https://access.redhat.com/errata/RHSA-2024:0692
reference_id RHSA-2024:0692
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:0692
14
reference_url https://access.redhat.com/errata/RHSA-2024:0735
reference_id RHSA-2024:0735
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:0735
15
reference_url https://access.redhat.com/errata/RHSA-2024:0740
reference_id RHSA-2024:0740
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:0740
16
reference_url https://access.redhat.com/errata/RHSA-2024:0832
reference_id RHSA-2024:0832
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:0832
17
reference_url https://access.redhat.com/errata/RHSA-2024:0833
reference_id RHSA-2024:0833
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:0833
18
reference_url https://access.redhat.com/errata/RHSA-2024:0843
reference_id RHSA-2024:0843
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:0843
19
reference_url https://access.redhat.com/errata/RHSA-2024:0845
reference_id RHSA-2024:0845
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:0845
20
reference_url https://access.redhat.com/errata/RHSA-2024:0880
reference_id RHSA-2024:0880
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:0880
21
reference_url https://access.redhat.com/errata/RHSA-2024:0989
reference_id RHSA-2024:0989
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:0989
22
reference_url https://access.redhat.com/errata/RHSA-2024:1052
reference_id RHSA-2024:1052
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:1052
23
reference_url https://access.redhat.com/errata/RHSA-2024:1549
reference_id RHSA-2024:1549
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:1549
24
reference_url https://access.redhat.com/errata/RHSA-2024:1557
reference_id RHSA-2024:1557
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:1557
25
reference_url https://access.redhat.com/errata/RHSA-2024:1896
reference_id RHSA-2024:1896
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:1896
26
reference_url https://access.redhat.com/errata/RHSA-2024:2633
reference_id RHSA-2024:2633
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:2633
27
reference_url https://access.redhat.com/errata/RHSA-2024:3925
reference_id RHSA-2024:3925
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:3925
28
reference_url https://access.redhat.com/errata/RHSA-2024:4118
reference_id RHSA-2024:4118
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:4118
29
reference_url https://access.redhat.com/errata/RHSA-2024:5013
reference_id RHSA-2024:5013
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:5013
30
reference_url https://access.redhat.com/errata/RHSA-2024:6221
reference_id RHSA-2024:6221
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:6221
31
reference_url https://usn.ubuntu.com/8088-1/
reference_id USN-8088-1
reference_type
scores
url https://usn.ubuntu.com/8088-1/
Weaknesses
0
cwe_id 22
name Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
description The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Exploits
Severity_range_score8.1 - 10.0
Exploitability0.5
Weighted_severity9.0
Risk_score4.5
Resource_urlhttp://public2.vulnerablecode.io/vulnerabilities/VCID-rka6-epua-h7gz