Описание
An arbitrary code execution vulnerability exists in the git functionality of Truffle Security Co. TruffleHog 3.90.2. A specially crafted repository can lead to a arbitrary code execution. An attacker can provide a malicious respository to trigger this vulnerability.
A flaw was found in the git functionality of TruffleHog. Scanning a specially crafted git repository copied file-for-file, such as via tar, cp, rsync or other tools, with a malicious core.fsmonitor configuration option specified in the .git/config file can cause arbitrary code execution.
Отчет
This flaw affects only repositories copied file-for-file, such as via tar, cp, rsync or similar tools, it does not affect the regular use case of cloned repositories, limiting the impact of this vulnerability.
Меры по смягчению последствий
Before scanning the repository, check the contents of the .git/config file, looking for a malicious fsmonitor configuration option, such as system programs not related to project maintenance.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Logging Subsystem for Red Hat OpenShift | openshift-logging/logging-loki-rhel9 | Not affected | ||
| Logging Subsystem for Red Hat OpenShift | openshift-logging/loki-operator-bundle | Not affected | ||
| Logging Subsystem for Red Hat OpenShift | openshift-logging/loki-rhel9-operator | Not affected | ||
| Logging Subsystem for Red Hat OpenShift | openshift-logging/lokistack-gateway-rhel9 | Not affected | ||
| Logging Subsystem for Red Hat OpenShift | openshift-logging/opa-openshift-rhel9 | Not affected | ||
| Logging Subsystem for Red Hat OpenShift | openshift-logging/logging-loki-rhel9 | Not affected | ||
| Logging Subsystem for Red Hat OpenShift | openshift-logging/loki-operator-bundle | Not affected | ||
| Logging Subsystem for Red Hat OpenShift | openshift-logging/loki-rhel9-operator | Not affected | ||
| Logging Subsystem for Red Hat OpenShift | openshift-logging/lokistack-gateway-rhel9 | Not affected | ||
| Logging Subsystem for Red Hat OpenShift | openshift-logging/opa-openshift-rhel9 | Not affected |
Показывать по
Дополнительная информация
Статус:
EPSS
7.8 High
CVSS3
Связанные уязвимости
An arbitrary code execution vulnerability exists in the git functionality of Truffle Security Co. TruffleHog 3.90.2. A specially crafted repository can lead to a arbitrary code execution. An attacker can provide a malicious respository to trigger this vulnerability.
An arbitrary code execution vulnerability exists in the git functionality of Truffle Security Co. TruffleHog 3.90.2. A specially crafted repository can lead to a arbitrary code execution. An attacker can provide a malicious respository to trigger this vulnerability.
EPSS
7.8 High
CVSS3