blob: e95c076b9430aac218efa0fed5ef79ad1a531d37 [file] [log] [blame]
id: GO-2023-1519
modules:
- module: github.com/rancher/wrangler
versions:
- fixed: 0.7.4-security1
- introduced: 0.8.0
fixed: 0.8.5-security1
- introduced: 0.8.6
fixed: 0.8.11
- introduced: 1.0.0
fixed: 1.0.1
vulnerable_at: 1.0.0
packages:
- package: github.com/rancher/wrangler/pkg/git
symbols:
- Git.Clone
- Git.fetchAndReset
- Git.reset
- Git.gitCmd
derived_symbols:
- Git.Ensure
- Git.Head
- Git.LsRemote
- Git.Update
summary: Command injection in github.com/rancher/wrangler
description: |-
A command injection vulnerability exists in the Wrangler Git package. Specially
crafted commands can be passed to Wrangler that will change their behavior and
cause confusion when executed through Git, resulting in command injection in the
underlying host.
A workaround is to sanitize input passed to the Git package to remove potential
unsafe and ambiguous characters. Otherwise, the best course of action is to
update to a patched Wrangler version.
cves:
- CVE-2022-31249
ghsas:
- GHSA-qrg7-hfx7-95c5
references:
- advisory: https://github.com/advisories/GHSA-qrg7-hfx7-95c5
review_status: REVIEWED