blob: 084f0916614d54438a9dfeaaa8ea64822a351d5f [file] [log] [blame]
id: GO-2023-1519
modules:
- module: github.com/rancher/wrangler
versions:
- fixed: 0.7.4-security1
- introduced: 0.8.0
fixed: 0.8.5-security1
- introduced: 0.8.6
fixed: 0.8.11
- introduced: 1.0.0
fixed: 1.0.1
vulnerable_at: 1.0.0
packages:
- package: github.com/rancher/wrangler/pkg/git
symbols:
- Git.Clone
- Git.fetchAndReset
- Git.reset
- Git.gitCmd
derived_symbols:
- Git.Ensure
- Git.Head
- Git.LsRemote
- Git.Update
summary: 'TODO(https://go.dev/issue/56443): fill in summary field'
description: |
A command injection vulnerability exists in the Wrangler Git package.
Specially crafted commands can be passed to Wrangler that will change their
behavior and cause confusion when executed through Git, resulting in command
injection in the underlying host.
A workaround is to sanitize input passed to the Git package to remove potential
unsafe and ambiguous characters. Otherwise, the best course of action is to update to a
patched Wrangler version.
cves:
- CVE-2022-31249
ghsas:
- GHSA-qrg7-hfx7-95c5
references:
- advisory: https://github.com/advisories/GHSA-qrg7-hfx7-95c5