| modules: |
| - module: github.com/rancher/wrangler |
| versions: |
| - fixed: 0.7.4-security1 |
| - introduced: 0.8.0 |
| fixed: 0.8.5-security1 |
| - introduced: 0.8.6 |
| fixed: 0.8.11 |
| - introduced: 1.0.0 |
| fixed: 1.0.1 |
| vulnerable_at: 1.0.0 |
| packages: |
| - package: github.com/rancher/wrangler/pkg/git |
| symbols: |
| - Git.Clone |
| - Git.fetchAndReset |
| - Git.reset |
| - Git.gitCmd |
| derived_symbols: |
| - Git.Ensure |
| - Git.Head |
| - Git.LsRemote |
| - Git.Update |
| description: | |
| A command injection vulnerability exists in the Wrangler Git package. |
| Specially crafted commands can be passed to Wrangler that will change their |
| behavior and cause confusion when executed through Git, resulting in command |
| injection in the underlying host. |
| |
| A workaround is to sanitize input passed to the Git package to remove potential |
| unsafe and ambiguous characters. Otherwise, the best course of action is to update to a |
| patched Wrangler version. |
| cves: |
| - CVE-2022-31249 |
| ghsas: |
| - GHSA-qrg7-hfx7-95c5 |
| references: |
| - advisory: https://github.com/advisories/GHSA-qrg7-hfx7-95c5 |
