blob: 55ee375311b32ebd686ea97fe194c06ece7e8878 [file] [log] [blame]
{
"schema_version": "1.3.1",
"id": "GO-2023-1515",
"modified": "0001-01-01T00:00:00Z",
"published": "0001-01-01T00:00:00Z",
"aliases": [
"CVE-2022-43756",
"GHSA-8fcj-gf77-47mg"
],
"summary": "Denial of service when processing Git credentials in github.com/rancher/wrangler",
"details": "A denial of service (DoS) vulnerability exists in the Wrangler Git package. Specially crafted Git credentials can result in a denial of service (DoS) attack on an application that uses Wrangler due to the exhaustion of the available memory and CPU resources.\n\nThis is caused by a lack of input validation of Git credentials before they are used, which may lead to a denial of service in some cases. This issue can be triggered when accessing both private and public Git repositories.\n\nA workaround is to sanitize input passed to the Git package to remove potential unsafe and ambiguous characters. Otherwise, the best course of action is to update to a patched Wrangler version.",
"affected": [
{
"package": {
"name": "github.com/rancher/wrangler",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "0.7.4-security1"
},
{
"introduced": "0.8.0"
},
{
"fixed": "0.8.5-security1"
},
{
"introduced": "0.8.6"
},
{
"fixed": "0.8.11"
},
{
"introduced": "1.0.0"
},
{
"fixed": "1.0.1"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "github.com/rancher/wrangler/pkg/git",
"symbols": [
"Git.Clone",
"Git.Ensure",
"Git.Head",
"Git.LsRemote",
"Git.Update",
"Git.fetchAndReset",
"Git.gitCmd",
"Git.reset"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://github.com/rancher/wrangler/commit/341018c8fef3e12867c7cb2649bd2cecac75f287"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-8fcj-gf77-47mg"
},
{
"type": "WEB",
"url": "https://github.com/rancher/rancher/security/policy"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2023-1515"
}
}