logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2022-43756 github.com/rancher/wrangler

Package

Manager: go
Name: github.com/rancher/wrangler
Vulnerable Version: >=0 <0.7.4-security1 || >=0.8.0 <0.8.5-security1 || =1.0.0 || >=1.0.0 <1.0.1 || >=0.8.6 <0.8.11

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00303 pctl0.53054

Details

Denial of service (DoS) when processing Git credentials ### Impact A denial of services (DoS) vulnerability was discovered in Wrangler Git package affecting versions up to and including `v1.0.0`. Specially crafted Git credentials can result in a denial of service (DoS) attack on an application that uses Wrangler due to the exhaustion of the available memory and CPU resources. This is caused by a lack of input validation of Git credentials before they are used, which may lead to a denial of service in some cases. This issue can be triggered when accessing both private and public Git repositories. ### Workarounds A workaround is to sanitize input passed to the Git package to remove potential unsafe and ambiguous characters. Otherwise, the best course of action is to update to a patched Wrangler version. ### Patches Patched versions include `v1.0.1` and later and the backported tags - `v0.7.4-security1`, `v0.8.5-security1` and `v0.8.11`. ### For more information If you have any questions or comments about this advisory: * Reach out to [SUSE Rancher Security team](https://github.com/rancher/rancher/security/policy) for security related inquiries. * Open an issue in [Rancher](https://github.com/rancher/rancher/issues/new/choose) or [Wrangler](https://github.com/rancher/wrangler/issues/new) repository. * Verify our [support matrix](https://www.suse.com/suse-rancher/support-matrix/all-supported-versions/) and [product support lifecycle](https://www.suse.com/lifecycle/).

Metadata

Created: 2023-01-25T19:40:26Z
Modified: 2023-02-07T15:50:58Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/01/GHSA-8fcj-gf77-47mg/GHSA-8fcj-gf77-47mg.json
CWE IDs: ["CWE-150", "CWE-74"]
Alternative ID: GHSA-8fcj-gf77-47mg
Finding: F111
Auto approve: 1