| packages: |
| - module: github.com/argoproj/argo-events |
| package: github.com/argoproj/argo-events/sensors/artifacts |
| symbols: |
| - NewGitReader |
| derived_symbols: |
| - GetArtifactReader |
| versions: |
| - fixed: 1.7.1 |
| vulnerable_at: 1.7.0 |
| description: | |
| GitArtifactReader is vulnerable to directory traversal attacks. |
| |
| The GitArtifactReader.Read function reads and returns the |
| contents of a Git repository file. A maliciously crafted repository |
| can exploit this to cause Read to read from arbitrary files on |
| the filesystem. |
| cves: |
| - CVE-2022-25856 |
| ghsas: |
| - GHSA-qpgx-64h2-gc3c |
| credit: Derek Wang |
| links: |
| pr: https://github.com/argoproj/argo-events/pull/1965 |
| context: |
| - https://github.com/argoproj/argo-events/issues/1947 |