===================================================================== CERT-Renater Note d'Information No. 2023/VULN035 _____________________________________________________________________ DATE : 31/01/2023 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running rancher/wrangler versions prior to 0.7.4-security1, 0.8.5-security1, 0.8.11, 1.0.1. ===================================================================== https://github.com/rancher/wrangler/security/advisories/GHSA-qrg7-hfx7-95c5 https://github.com/rancher/wrangler/security/advisories/GHSA-8fcj-gf77-47mg _____________________________________________________________________ Command injection in Git package High macedogm published GHSA-qrg7-hfx7-95c5 Jan 25, 2023 Package rancher/wrangler (Go) Affected versions <= v0.7.3 <= v0.8.4 <= v1.0.0 Patched versions > = v0.7.4-security1 v0.8.5-security1, v0.8.11 > = v1.0.1 Description Impact A command injection vulnerability was discovered in Wrangler's Git package affecting versions up to and including v1.0.0. Wrangler's Git package uses the underlying Git binary present in the host OS or container image to execute Git operations. Specially crafted commands can be passed to Wrangler that will change their behavior and cause confusion when executed through Git, resulting in command injection in the underlying host. Workarounds A workaround is to sanitize input passed to the Git package to remove potential unsafe and ambiguous characters. Otherwise, the best course of action is to update to a patched Wrangler version. Patches Patched versions include v1.0.1 and later and the backported tags - v0.7.4-security1, v0.8.5-security1 and v0.8.11. For more information If you have any questions or comments about this advisory: Reach out to SUSE Rancher Security team for security related inquiries. Open an issue in Rancher or Wrangler repository. Verify our support matrix and product support lifecycle. Severity High 7.5/ 10 CVSS base metrics Attack vector Network Attack complexity High Privileges required Low User interaction None Scope Unchanged Confidentiality High Integrity High Availability High CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE ID CVE-2022-31249 Weaknesses CWE-77 CWE-78 CWE-88 _____________________________________________________________________ Denial of service (DoS) when processing Git credentials Moderate macedogm published GHSA-8fcj-gf77-47mg Jan 25, 2023 Package rancher/wrangler (Go) Affected versions <= v0.7.3 <= v0.8.4 <= v1.0.0 Patched versions > = v0.7.4-security1 v0.8.5-security1, v0.8.11 > = v1.0.1 Description Impact A denial of services (DoS) vulnerability was discovered in Wrangler Git package affecting versions up to and including v1.0.0. Specially crafted Git credentials can result in a denial of service (DoS) attack on an application that uses Wrangler due to the exhaustion of the available memory and CPU resources. This is caused by a lack of input validation of Git credentials before they are used, which may lead to a denial of service in some cases. This issue can be triggered when accessing both private and public Git repositories. Workarounds A workaround is to sanitize input passed to the Git package to remove potential unsafe and ambiguous characters. Otherwise, the best course of action is to update to a patched Wrangler version. Patches Patched versions include v1.0.1 and later and the backported tags - v0.7.4-security1, v0.8.5-security1 and v0.8.11. For more information If you have any questions or comments about this advisory: Reach out to SUSE Rancher Security team for security related inquiries. Open an issue in Rancher or Wrangler repository. Verify our support matrix and product support lifecycle. Severity Moderate 5.9/ 10 CVSS base metrics Attack vector Network Attack complexity High Privileges required Low User interaction None Scope Unchanged Confidentiality None Integrity Low Availability High CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:H CVE ID CVE-2022-43756 Weaknesses CWE-150 ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================