ghsa-8fcj-gf77-47mg
Vulnerability from github
Published
2023-01-25 19:40
Modified
2023-02-07 15:50
Severity ?
Summary
Denial of service (DoS) when processing Git credentials
Details
Impact
A denial of services (DoS) vulnerability was discovered in Wrangler Git package affecting versions up to and including v1.0.0.
Specially crafted Git credentials can result in a denial of service (DoS) attack on an application that uses Wrangler due to the exhaustion of the available memory and CPU resources. This is caused by a lack of input validation of Git credentials before they are used, which may lead to a denial of service in some cases. This issue can be triggered when accessing both private and public Git repositories.
Workarounds
A workaround is to sanitize input passed to the Git package to remove potential unsafe and ambiguous characters. Otherwise, the best course of action is to update to a patched Wrangler version.
Patches
Patched versions include v1.0.1 and later and the backported tags - v0.7.4-security1, v0.8.5-security1 and v0.8.11.
For more information
If you have any questions or comments about this advisory:
- Reach out to SUSE Rancher Security team for security related inquiries.
- Open an issue in Rancher or Wrangler repository.
- Verify our support matrix and product support lifecycle.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.7.3"
},
"package": {
"ecosystem": "Go",
"name": "github.com/rancher/wrangler"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.7.4-security1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.8.4"
},
"package": {
"ecosystem": "Go",
"name": "github.com/rancher/wrangler"
},
"ranges": [
{
"events": [
{
"introduced": "0.8.0"
},
{
"fixed": "0.8.5-security1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/rancher/wrangler"
},
"ranges": [
{
"events": [
{
"introduced": "1.0.0"
},
{
"fixed": "1.0.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.0.0"
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/rancher/wrangler"
},
"ranges": [
{
"events": [
{
"introduced": "0.8.6"
},
{
"fixed": "0.8.11"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-43756"
],
"database_specific": {
"cwe_ids": [
"CWE-150",
"CWE-74"
],
"github_reviewed": true,
"github_reviewed_at": "2023-01-25T19:40:26Z",
"nvd_published_at": "2023-02-07T13:15:00Z",
"severity": "MODERATE"
},
"details": "### Impact\n\nA denial of services (DoS) vulnerability was discovered in Wrangler Git package affecting versions up to and including `v1.0.0`.\n\nSpecially crafted Git credentials can result in a denial of service (DoS) attack on an application that uses Wrangler due to the exhaustion of the available memory and CPU resources. This is caused by a lack of input validation of Git credentials before they are used, which may lead to a denial of service in some cases. This issue can be triggered when accessing both private and public Git repositories. \n\n### Workarounds\n\nA workaround is to sanitize input passed to the Git package to remove potential unsafe and ambiguous characters. Otherwise, the best course of action is to update to a patched Wrangler version.\n\n### Patches\n\nPatched versions include `v1.0.1` and later and the backported tags - `v0.7.4-security1`, `v0.8.5-security1` and `v0.8.11`.\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n\n* Reach out to [SUSE Rancher Security team](https://github.com/rancher/rancher/security/policy) for security related inquiries.\n* Open an issue in [Rancher](https://github.com/rancher/rancher/issues/new/choose) or [Wrangler](https://github.com/rancher/wrangler/issues/new) repository.\n* Verify our [support matrix](https://www.suse.com/suse-rancher/support-matrix/all-supported-versions/) and [product support lifecycle](https://www.suse.com/lifecycle/).",
"id": "GHSA-8fcj-gf77-47mg",
"modified": "2023-02-07T15:50:58Z",
"published": "2023-01-25T19:40:26Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/rancher/wrangler/security/advisories/GHSA-8fcj-gf77-47mg"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-43756"
},
{
"type": "WEB",
"url": "https://github.com/rancher/wrangler/commit/341018c8fef3e12867c7cb2649bd2cecac75f287"
},
{
"type": "WEB",
"url": "https://bugzilla.suse.com/show_bug.cgi?id=1205296"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-8fcj-gf77-47mg"
},
{
"type": "WEB",
"url": "https://github.com/rancher/rancher/security/policy"
},
{
"type": "PACKAGE",
"url": "https://github.com/rancher/wrangler"
},
{
"type": "WEB",
"url": "https://pkg.go.dev/vuln/GO-2023-1515"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:H",
"type": "CVSS_V3"
}
],
"summary": "Denial of service (DoS) when processing Git credentials"
}
Loading...
Loading...
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.