GO-2023-1519

See a problem?
Please try reporting it to the source first.

Source

https://pkg.go.dev/vuln/GO-2023-1519

Import Source

https://vuln.go.dev/ID/GO-2023-1519.json

JSON Data

https://api.test.osv.dev/v1/vulns/GO-2023-1519

Aliases

Published

2023-02-14T19:34:35Z

Modified

2024-05-20T16:03:47Z

Summary

Command injection in github.com/rancher/wrangler

Details

A command injection vulnerability exists in the Wrangler Git package. Specially crafted commands can be passed to Wrangler that will change their behavior and cause confusion when executed through Git, resulting in command injection in the underlying host.

A workaround is to sanitize input passed to the Git package to remove potential unsafe and ambiguous characters. Otherwise, the best course of action is to update to a patched Wrangler version.

Database specific

{
    "review_status": "REVIEWED",
    "url": "https://pkg.go.dev/vuln/GO-2023-1519"
}

References

https://github.com/advisories/GHSA-qrg7-hfx7-95c5

Affected packages

Go / github.com/rancher/wrangler

Package

Name: github.com/rancher/wrangler; View open source insights on deps.dev
Purl: pkg:golang/github.com/rancher/wrangler

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.7.4-security1

Introduced

0.8.0

Fixed

0.8.5-security1

Introduced

0.8.6

Fixed

0.8.11

Introduced

1.0.0

Fixed

1.0.1

Ecosystem specific

{
    "imports": [
        {
            "path": "github.com/rancher/wrangler/pkg/git",
            "symbols": [
                "Git.Clone",
                "Git.Ensure",
                "Git.Head",
                "Git.LsRemote",
                "Git.Update",
                "Git.fetchAndReset",
                "Git.gitCmd",
                "Git.reset"
            ]
        }
    ]
}