Command injection in github.com/rancher/wrangler

2023-02-1419:34:35

Google

osv.dev

vulnerability

wrangler

git

command injection

workaround

sanitize

update

patched version

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

0.002 Low

EPSS

Percentile

56.5%

JSON

A command injection vulnerability exists in the Wrangler Git package. Specially crafted commands can be passed to Wrangler that will change their behavior and cause confusion when executed through Git, resulting in command injection in the underlying host.

A workaround is to sanitize input passed to the Git package to remove potential unsafe and ambiguous characters. Otherwise, the best course of action is to update to a patched Wrangler version.

CPENameOperatorVersion
github.com/rancher/wranglerge0.8.0
github.com/rancher/wranglerlt0.8.11
github.com/rancher/wranglerge1.0.0
github.com/rancher/wranglerlt0.8.5-security1
github.com/rancher/wranglerlt0.7.4-security1
github.com/rancher/wranglerlt1.0.1
github.com/rancher/wranglerge0.8.6

Name	Operator	Version
github.com/rancher/wrangler	ge	0.8.0
github.com/rancher/wrangler	lt	0.8.11
github.com/rancher/wrangler	ge	1.0.0
github.com/rancher/wrangler	lt	0.8.5-security1
github.com/rancher/wrangler	lt	0.7.4-security1
github.com/rancher/wrangler	lt	1.0.1
github.com/rancher/wrangler	ge	0.8.6