Описание
Denial of service (DoS) when processing Git credentials
Impact
A denial of services (DoS) vulnerability was discovered in Wrangler Git package affecting versions up to and including v1.0.0.
Specially crafted Git credentials can result in a denial of service (DoS) attack on an application that uses Wrangler due to the exhaustion of the available memory and CPU resources. This is caused by a lack of input validation of Git credentials before they are used, which may lead to a denial of service in some cases. This issue can be triggered when accessing both private and public Git repositories.
Workarounds
A workaround is to sanitize input passed to the Git package to remove potential unsafe and ambiguous characters. Otherwise, the best course of action is to update to a patched Wrangler version.
Patches
Patched versions include v1.0.1 and later and the backported tags - v0.7.4-security1, v0.8.5-security1 and v0.8.11.
For more information
If you have any questions or comments about this advisory:
- Reach out to SUSE Rancher Security team for security related inquiries.
- Open an issue in Rancher or Wrangler repository.
- Verify our support matrix and product support lifecycle.
Ссылки
- https://github.com/rancher/wrangler/security/advisories/GHSA-8fcj-gf77-47mg
- https://nvd.nist.gov/vuln/detail/CVE-2022-43756
- https://github.com/rancher/wrangler/commit/341018c8fef3e12867c7cb2649bd2cecac75f287
- https://bugzilla.suse.com/show_bug.cgi?id=1205296
- https://github.com/advisories/GHSA-8fcj-gf77-47mg
- https://github.com/rancher/rancher/security/policy
- https://pkg.go.dev/vuln/GO-2023-1515
Пакеты
github.com/rancher/wrangler
<= 0.7.3
0.7.4-security1
github.com/rancher/wrangler
>= 0.8.0, <= 0.8.4
0.8.5-security1
github.com/rancher/wrangler
= 1.0.0
1.0.1
github.com/rancher/wrangler
>= 0.8.6, < 0.8.11
0.8.11
Связанные уязвимости
A Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') vulnerability in SUSE Rancher allows remote attackers to cause denial of service by supplying specially crafted git credentials. This issue affects: SUSE Rancher wrangler version 0.7.3 and prior versions; wrangler version 0.8.4 and prior versions; wrangler version 1.0.0 and prior versions.