| id: GO-2023-1519 |
| modules: |
| - module: github.com/rancher/wrangler |
| versions: |
| - fixed: 0.7.4-security1 |
| - introduced: 0.8.0 |
| fixed: 0.8.5-security1 |
| - introduced: 0.8.6 |
| fixed: 0.8.11 |
| - introduced: 1.0.0 |
| fixed: 1.0.1 |
| vulnerable_at: 1.0.0 |
| packages: |
| - package: github.com/rancher/wrangler/pkg/git |
| symbols: |
| - Git.Clone |
| - Git.fetchAndReset |
| - Git.reset |
| - Git.gitCmd |
| derived_symbols: |
| - Git.Ensure |
| - Git.Head |
| - Git.LsRemote |
| - Git.Update |
| summary: Command injection in github.com/rancher/wrangler |
| description: |- |
| A command injection vulnerability exists in the Wrangler Git package. Specially |
| crafted commands can be passed to Wrangler that will change their behavior and |
| cause confusion when executed through Git, resulting in command injection in the |
| underlying host. |
| |
| A workaround is to sanitize input passed to the Git package to remove potential |
| unsafe and ambiguous characters. Otherwise, the best course of action is to |
| update to a patched Wrangler version. |
| cves: |
| - CVE-2022-31249 |
| ghsas: |
| - GHSA-qrg7-hfx7-95c5 |
| references: |
| - advisory: https://github.com/advisories/GHSA-qrg7-hfx7-95c5 |
| review_status: REVIEWED |