logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2022-31249 github.com/rancher/wrangler

Package

Manager: go
Name: github.com/rancher/wrangler
Vulnerable Version: >=0 <0.7.4-security1 || >=0.8.0 <0.8.5-security1 || =1.0.0 || >=1.0.0 <1.0.1 || >=0.8.6 <0.8.11

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.01452 pctl0.80052

Details

Command injection in Git package in Wrangler ### Impact A command injection vulnerability was discovered in Wrangler's Git package affecting versions up to and including `v1.0.0`. Wrangler's Git package uses the underlying Git binary present in the host OS or container image to execute Git operations. Specially crafted commands can be passed to Wrangler that will change their behavior and cause confusion when executed through Git, resulting in command injection in the underlying host. ### Workarounds A workaround is to sanitize input passed to the Git package to remove potential unsafe and ambiguous characters. Otherwise, the best course of action is to update to a patched Wrangler version. ### Patches Patched versions include `v1.0.1` and later and the backported tags - `v0.7.4-security1`, `v0.8.5-security1` and `v0.8.11`. ### For more information If you have any questions or comments about this advisory: * Reach out to [SUSE Rancher Security team](https://github.com/rancher/rancher/security/policy) for security related inquiries. * Open an issue in [Rancher](https://github.com/rancher/rancher/issues/new/choose) or [Wrangler](https://github.com/rancher/wrangler/issues/new) repository. * Verify our [support matrix](https://www.suse.com/suse-rancher/support-matrix/all-supported-versions/) and [product support lifecycle](https://www.suse.com/lifecycle/).

Metadata

Created: 2023-01-25T19:40:43Z
Modified: 2023-02-08T22:37:02Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/01/GHSA-qrg7-hfx7-95c5/GHSA-qrg7-hfx7-95c5.json
CWE IDs: ["CWE-77", "CWE-78", "CWE-88"]
Alternative ID: GHSA-qrg7-hfx7-95c5
Finding: F422
Auto approve: 1