data/reports/GO-2022-0492.yaml - vulndb - Git at Google

 id: GO-2022-0492
 modules:
   - module: github.com/argoproj/argo-events
     versions:
       - fixed: 1.7.1
     vulnerable_at: 1.7.0
     packages:
       - package: github.com/argoproj/argo-events/sensors/artifacts
         symbols:
           - NewGitReader
         derived_symbols:
           - GetArtifactReader
 summary: 'TODO(https://go.dev/issue/56443): fill in summary field'
 description: |
     GitArtifactReader is vulnerable to directory traversal attacks.

     The GitArtifactReader.Read function reads and returns the
     contents of a Git repository file. A maliciously crafted repository
     can exploit this to cause Read to read from arbitrary files on
     the filesystem.
 published: 2022-07-15T23:30:03Z
 cves:
   - CVE-2022-25856
 ghsas:
   - GHSA-qpgx-64h2-gc3c
 credits:
   - Derek Wang
 references:
   - fix: https://github.com/argoproj/argo-events/pull/1965
   - web: https://github.com/argoproj/argo-events/issues/1947
	id: GO-2022-0492
	modules:
	- module: github.com/argoproj/argo-events
	versions:
	- fixed: 1.7.1
	vulnerable_at: 1.7.0
	packages:
	- package: github.com/argoproj/argo-events/sensors/artifacts
	symbols:
	- NewGitReader
	derived_symbols:
	- GetArtifactReader
	summary: 'TODO(https://go.dev/issue/56443): fill in summary field'
	description: \|
	GitArtifactReader is vulnerable to directory traversal attacks.

	The GitArtifactReader.Read function reads and returns the
	contents of a Git repository file. A maliciously crafted repository
	can exploit this to cause Read to read from arbitrary files on
	the filesystem.
	published: 2022-07-15T23:30:03Z
	cves:
	- CVE-2022-25856
	ghsas:
	- GHSA-qpgx-64h2-gc3c
	credits:
	- Derek Wang
	references:
	- fix: https://github.com/argoproj/argo-events/pull/1965
	- web: https://github.com/argoproj/argo-events/issues/1947