ghsa-qrg7-hfx7-95c5
Vulnerability from github
Published
2023-01-25 19:40
Modified
2023-02-08 22:37
Severity ?
Summary
Command injection in Git package in Wrangler
Details
Impact
A command injection vulnerability was discovered in Wrangler's Git package affecting versions up to and including v1.0.0.
Wrangler's Git package uses the underlying Git binary present in the host OS or container image to execute Git operations. Specially crafted commands can be passed to Wrangler that will change their behavior and cause confusion when executed through Git, resulting in command injection in the underlying host.
Workarounds
A workaround is to sanitize input passed to the Git package to remove potential unsafe and ambiguous characters. Otherwise, the best course of action is to update to a patched Wrangler version.
Patches
Patched versions include v1.0.1 and later and the backported tags - v0.7.4-security1, v0.8.5-security1 and v0.8.11.
For more information
If you have any questions or comments about this advisory:
- Reach out to SUSE Rancher Security team for security related inquiries.
- Open an issue in Rancher or Wrangler repository.
- Verify our support matrix and product support lifecycle.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/rancher/wrangler"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.7.4-security1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/rancher/wrangler"
},
"ranges": [
{
"events": [
{
"introduced": "0.8.0"
},
{
"fixed": "0.8.5-security1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/rancher/wrangler"
},
"ranges": [
{
"events": [
{
"introduced": "1.0.0"
},
{
"fixed": "1.0.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.0.0"
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/rancher/wrangler"
},
"ranges": [
{
"events": [
{
"introduced": "0.8.6"
},
{
"fixed": "0.8.11"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-31249"
],
"database_specific": {
"cwe_ids": [
"CWE-77",
"CWE-78",
"CWE-88"
],
"github_reviewed": true,
"github_reviewed_at": "2023-01-25T19:40:43Z",
"nvd_published_at": "2023-02-07T13:15:00Z",
"severity": "HIGH"
},
"details": "### Impact\n\nA command injection vulnerability was discovered in Wrangler\u0027s Git package affecting versions up to and including `v1.0.0`.\n\nWrangler\u0027s Git package uses the underlying Git binary present in the host OS or container image to execute Git operations. Specially crafted commands can be passed to Wrangler that will change their behavior and cause confusion when executed through Git, resulting in command injection in the underlying host.\n\n### Workarounds\n\nA workaround is to sanitize input passed to the Git package to remove potential unsafe and ambiguous characters. Otherwise, the best course of action is to update to a patched Wrangler version.\n\n### Patches\n\nPatched versions include `v1.0.1` and later and the backported tags - `v0.7.4-security1`, `v0.8.5-security1` and `v0.8.11`.\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n\n* Reach out to [SUSE Rancher Security team](https://github.com/rancher/rancher/security/policy) for security related inquiries.\n* Open an issue in [Rancher](https://github.com/rancher/rancher/issues/new/choose) or [Wrangler](https://github.com/rancher/wrangler/issues/new) repository.\n* Verify our [support matrix](https://www.suse.com/suse-rancher/support-matrix/all-supported-versions/) and [product support lifecycle](https://www.suse.com/lifecycle/).",
"id": "GHSA-qrg7-hfx7-95c5",
"modified": "2023-02-08T22:37:02Z",
"published": "2023-01-25T19:40:43Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/rancher/wrangler/security/advisories/GHSA-qrg7-hfx7-95c5"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31249"
},
{
"type": "WEB",
"url": "https://github.com/rancher/wrangler/commit/12397eec50155cb2d24aa70bdf9e90c5f3b9a727"
},
{
"type": "WEB",
"url": "https://github.com/rancher/wrangler/commit/341018c8fef3e12867c7cb2649bd2cecac75f287"
},
{
"type": "WEB",
"url": "https://github.com/rancher/wrangler/commit/5a387e13e8d51e3340d9e5012a1951f0cca5fc90"
},
{
"type": "WEB",
"url": "https://github.com/rancher/wrangler/commit/8649ecc062204f28764fd80157a621cbae89c9cf"
},
{
"type": "WEB",
"url": "https://bugzilla.suse.com/show_bug.cgi?id=1200299"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-qrg7-hfx7-95c5"
},
{
"type": "PACKAGE",
"url": "https://github.com/rancher/wrangler"
},
{
"type": "WEB",
"url": "https://github.com/rancher/wrangler/compare/v0.7.2...v0.7.4-security1"
},
{
"type": "WEB",
"url": "https://github.com/rancher/wrangler/compare/v0.8.4...v0.8.5-security1"
},
{
"type": "WEB",
"url": "https://pkg.go.dev/vuln/GO-2023-1519"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Command injection in Git package in Wrangler"
}
Loading...
Loading...
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.