| id: GO-2022-0492 |
| modules: |
| - module: github.com/argoproj/argo-events |
| versions: |
| - fixed: 1.7.1 |
| vulnerable_at: 1.7.0 |
| packages: |
| - package: github.com/argoproj/argo-events/sensors/artifacts |
| symbols: |
| - NewGitReader |
| derived_symbols: |
| - GetArtifactReader |
| summary: Path traversal in github.com/argoproj/argo-events |
| description: |- |
| GitArtifactReader is vulnerable to directory traversal attacks. |
| |
| The GitArtifactReader.Read function reads and returns the contents of a Git |
| repository file. A maliciously crafted repository can exploit this to cause Read |
| to read from arbitrary files on the filesystem. |
| published: 2022-07-15T23:30:03Z |
| cves: |
| - CVE-2022-25856 |
| ghsas: |
| - GHSA-qpgx-64h2-gc3c |
| credits: |
| - Derek Wang |
| references: |
| - fix: https://github.com/argoproj/argo-events/pull/1965 |
| - web: https://github.com/argoproj/argo-events/issues/1947 |
| review_status: REVIEWED |