| { |
| "schema_version": "1.3.1", |
| "id": "GO-2023-1519", |
| "modified": "0001-01-01T00:00:00Z", |
| "published": "0001-01-01T00:00:00Z", |
| "aliases": [ |
| "CVE-2022-31249", |
| "GHSA-qrg7-hfx7-95c5" |
| ], |
| "summary": "Command injection in github.com/rancher/wrangler", |
| "details": "A command injection vulnerability exists in the Wrangler Git package. Specially crafted commands can be passed to Wrangler that will change their behavior and cause confusion when executed through Git, resulting in command injection in the underlying host.\n\nA workaround is to sanitize input passed to the Git package to remove potential unsafe and ambiguous characters. Otherwise, the best course of action is to update to a patched Wrangler version.", |
| "affected": [ |
| { |
| "package": { |
| "name": "github.com/rancher/wrangler", |
| "ecosystem": "Go" |
| }, |
| "ranges": [ |
| { |
| "type": "SEMVER", |
| "events": [ |
| { |
| "introduced": "0" |
| }, |
| { |
| "fixed": "0.7.4-security1" |
| }, |
| { |
| "introduced": "0.8.0" |
| }, |
| { |
| "fixed": "0.8.5-security1" |
| }, |
| { |
| "introduced": "0.8.6" |
| }, |
| { |
| "fixed": "0.8.11" |
| }, |
| { |
| "introduced": "1.0.0" |
| }, |
| { |
| "fixed": "1.0.1" |
| } |
| ] |
| } |
| ], |
| "ecosystem_specific": { |
| "imports": [ |
| { |
| "path": "github.com/rancher/wrangler/pkg/git", |
| "symbols": [ |
| "Git.Clone", |
| "Git.Ensure", |
| "Git.Head", |
| "Git.LsRemote", |
| "Git.Update", |
| "Git.fetchAndReset", |
| "Git.gitCmd", |
| "Git.reset" |
| ] |
| } |
| ] |
| } |
| } |
| ], |
| "references": [ |
| { |
| "type": "ADVISORY", |
| "url": "https://github.com/advisories/GHSA-qrg7-hfx7-95c5" |
| } |
| ], |
| "database_specific": { |
| "url": "https://pkg.go.dev/vuln/GO-2023-1519" |
| } |
| } |