9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.002 Low
EPSS
Percentile
55.5%
A command injection vulnerability was discovered in Wrangler’s Git package affecting versions up to and including v1.0.0
.
Wrangler’s Git package uses the underlying Git binary present in the host OS or container image to execute Git operations. Specially crafted commands can be passed to Wrangler that will change their behavior and cause confusion when executed through Git, resulting in command injection in the underlying host.
A workaround is to sanitize input passed to the Git package to remove potential unsafe and ambiguous characters. Otherwise, the best course of action is to update to a patched Wrangler version.
Patched versions include v1.0.1
and later and the backported tags - v0.7.4-security1
, v0.8.5-security1
and v0.8.11
.
If you have any questions or comments about this advisory:
bugzilla.suse.com/show_bug.cgi?id=1200299
github.com/advisories/GHSA-qrg7-hfx7-95c5
github.com/rancher/wrangler
github.com/rancher/wrangler/commit/12397eec50155cb2d24aa70bdf9e90c5f3b9a727
github.com/rancher/wrangler/commit/341018c8fef3e12867c7cb2649bd2cecac75f287
github.com/rancher/wrangler/commit/5a387e13e8d51e3340d9e5012a1951f0cca5fc90
github.com/rancher/wrangler/commit/8649ecc062204f28764fd80157a621cbae89c9cf
github.com/rancher/wrangler/compare/v0.7.2...v0.7.4-security1
github.com/rancher/wrangler/compare/v0.8.4...v0.8.5-security1
github.com/rancher/wrangler/security/advisories/GHSA-qrg7-hfx7-95c5
nvd.nist.gov/vuln/detail/CVE-2022-31249
pkg.go.dev/vuln/GO-2023-1519
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.002 Low
EPSS
Percentile
55.5%