blob: f52a37f32246beaa75ed090514944f33ae5834f2 [file] [log] [blame]
id: GO-2022-0492
modules:
- module: github.com/argoproj/argo-events
versions:
- fixed: 1.7.1
vulnerable_at: 1.7.0
packages:
- package: github.com/argoproj/argo-events/sensors/artifacts
symbols:
- NewGitReader
derived_symbols:
- GetArtifactReader
summary: Path traversal in github.com/argoproj/argo-events
description: |-
GitArtifactReader is vulnerable to directory traversal attacks.
The GitArtifactReader.Read function reads and returns the contents of a Git
repository file. A maliciously crafted repository can exploit this to cause Read
to read from arbitrary files on the filesystem.
published: 2022-07-15T23:30:03Z
cves:
- CVE-2022-25856
ghsas:
- GHSA-qpgx-64h2-gc3c
credits:
- Derek Wang
references:
- fix: https://github.com/argoproj/argo-events/pull/1965
- web: https://github.com/argoproj/argo-events/issues/1947
review_status: REVIEWED