go
/
vulndb
зеркало из https://github.com/golang/vulndb.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

data/reports: add GO-2023-1515.yaml 

Aliases: CVE-2022-43756, GHSA-8fcj-gf77-47mg

Fixes golang/vulndb#1515

Change-Id: Ie12b030b8859156a869cb91050fd9af7ab8daf05
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/466665
Run-TryBot: Maceo Thompson <maceothompson@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
This commit is contained in:
Maceo Thompson 2023-02-08 15:41:34 -05:00
Родитель 18450b1d4c
Коммит e2b43878b0
2 изменённых файлов: 125 добавлений и 0 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

81
data/osv/GO-2023-1515.json Normal file
Просмотреть файл

@ -0,0 +1,81 @@
{
"id": "GO-2023-1515",
"published": "0001-01-01T00:00:00Z",
"modified": "0001-01-01T00:00:00Z",
"aliases": [
"CVE-2022-43756",
"GHSA-8fcj-gf77-47mg"
],
"details": "A denial of service (DoS) vulnerability exists in the Wrangler Git package. Specially crafted Git credentials can result in a denial of service (DoS) attack on an application that uses Wrangler due to the exhaustion of the available memory and CPU resources.\n\nThis is caused by a lack of input validation of Git credentials before they are used, which may lead to a denial of service in some cases. This issue can be triggered when accessing both private and public Git repositories.\n\nA workaround is to sanitize input passed to the Git package to remove potential unsafe and ambiguous characters. Otherwise, the best course of action is to update to a patched Wrangler version.",
"affected": [
{
"package": {
"name": "github.com/rancher/wrangler",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0.8.6"
},
{
"fixed": "0.8.11"
},
{
"introduced": "1.0.0"
},
{
"fixed": "1.0.1"
},
{
"introduced": "0.8.0"
},
{
"fixed": "0.8.5-security1"
},
{
"fixed": "0.7.4-security1"
}
]
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2023-1515"
},
"ecosystem_specific": {
"imports": [
{
"path": "github.com/rancher/wrangler/pkg/git",
"symbols": [
"Git.Clone",
"Git.Ensure",
"Git.Head",
"Git.LsRemote",
"Git.Update",
"Git.fetchAndReset",
"Git.gitCmd",
"Git.reset"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://github.com/rancher/wrangler/commit/341018c8fef3e12867c7cb2649bd2cecac75f287"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-8fcj-gf77-47mg"
},
{
"type": "WEB",
"url": "https://github.com/rancher/rancher/security/policy"
}
],
"schema_version": "1.3.1"
}

44
data/reports/GO-2023-1515.yaml Normal file
Просмотреть файл

@ -0,0 +1,44 @@
modules:
- module: github.com/rancher/wrangler
versions:
- introduced: 0.8.6
fixed: 0.8.11
- introduced: 1.0.0
fixed: 1.0.1
- introduced: 0.8.0
fixed: 0.8.5-security1
- fixed: 0.7.4-security1
vulnerable_at: 1.0.0
packages:
- package: github.com/rancher/wrangler/pkg/git
symbols:
- Git.Clone
- Git.fetchAndReset
- Git.reset
- Git.gitCmd
derived_symbols:
- Git.Ensure
- Git.Head
- Git.LsRemote
- Git.Update
description: |
A denial of service (DoS) vulnerability exists in the Wrangler Git package.
Specially crafted Git credentials can result in a denial of service (DoS) attack
on an application that uses Wrangler due to the exhaustion of the available memory
and CPU resources.
This is caused by a lack of input validation of Git credentials before they are
used, which may lead to a denial of service in some cases. This issue can be
triggered when accessing both private and public Git repositories.
A workaround is to sanitize input passed to the Git package to remove potential
unsafe and ambiguous characters. Otherwise, the best course of action is to update
to a patched Wrangler version.
cves:
- CVE-2022-43756
ghsas:
- GHSA-8fcj-gf77-47mg
references:
- fix: https://github.com/rancher/wrangler/commit/341018c8fef3e12867c7cb2649bd2cecac75f287
- advisory: https://github.com/advisories/GHSA-8fcj-gf77-47mg
- web: https://github.com/rancher/rancher/security/policy