blob: d29e30613f08c182ded04624bee9d7a07daea431 [file] [log] [blame]
id: GO-2023-1515
modules:
- module: github.com/rancher/wrangler
versions:
- fixed: 0.7.4-security1
- introduced: 0.8.0
fixed: 0.8.5-security1
- introduced: 0.8.6
fixed: 0.8.11
- introduced: 1.0.0
fixed: 1.0.1
vulnerable_at: 1.0.0
packages:
- package: github.com/rancher/wrangler/pkg/git
symbols:
- Git.Clone
- Git.fetchAndReset
- Git.reset
- Git.gitCmd
derived_symbols:
- Git.Ensure
- Git.Head
- Git.LsRemote
- Git.Update
summary: Denial of service when processing Git credentials in github.com/rancher/wrangler
description: |-
A denial of service (DoS) vulnerability exists in the Wrangler Git package.
Specially crafted Git credentials can result in a denial of service (DoS) attack
on an application that uses Wrangler due to the exhaustion of the available
memory and CPU resources.
This is caused by a lack of input validation of Git credentials before they are
used, which may lead to a denial of service in some cases. This issue can be
triggered when accessing both private and public Git repositories.
A workaround is to sanitize input passed to the Git package to remove potential
unsafe and ambiguous characters. Otherwise, the best course of action is to
update to a patched Wrangler version.
cves:
- CVE-2022-43756
ghsas:
- GHSA-8fcj-gf77-47mg
references:
- fix: https://github.com/rancher/wrangler/commit/341018c8fef3e12867c7cb2649bd2cecac75f287
- advisory: https://github.com/advisories/GHSA-8fcj-gf77-47mg
- web: https://github.com/rancher/rancher/security/policy