{ "schema_version": "1.4.0", "id": "GHSA-8fcj-gf77-47mg", "modified": "2023-02-07T15:50:58Z", "published": "2023-01-25T19:40:26Z", "aliases": [ "CVE-2022-43756" ], "summary": "Denial of service (DoS) when processing Git credentials", "details": "### Impact\n\nA denial of services (DoS) vulnerability was discovered in Wrangler Git package affecting versions up to and including `v1.0.0`.\n\nSpecially crafted Git credentials can result in a denial of service (DoS) attack on an application that uses Wrangler due to the exhaustion of the available memory and CPU resources. This is caused by a lack of input validation of Git credentials before they are used, which may lead to a denial of service in some cases. This issue can be triggered when accessing both private and public Git repositories. \n\n### Workarounds\n\nA workaround is to sanitize input passed to the Git package to remove potential unsafe and ambiguous characters. Otherwise, the best course of action is to update to a patched Wrangler version.\n\n### Patches\n\nPatched versions include `v1.0.1` and later and the backported tags - `v0.7.4-security1`, `v0.8.5-security1` and `v0.8.11`.\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n\n* Reach out to [SUSE Rancher Security team](https://github.com/rancher/rancher/security/policy) for security related inquiries.\n* Open an issue in [Rancher](https://github.com/rancher/rancher/issues/new/choose) or [Wrangler](https://github.com/rancher/wrangler/issues/new) repository.\n* Verify our [support matrix](https://www.suse.com/suse-rancher/support-matrix/all-supported-versions/) and [product support lifecycle](https://www.suse.com/lifecycle/).", "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:H" } ], "affected": [ { "package": { "ecosystem": "Go", "name": "github.com/rancher/wrangler" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "0.7.4-security1" } ] } ], "database_specific": { "last_known_affected_version_range": "<= 0.7.3" } }, { "package": { "ecosystem": "Go", "name": "github.com/rancher/wrangler" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0.8.0" }, { "fixed": "0.8.5-security1" } ] } ], "database_specific": { "last_known_affected_version_range": "<= 0.8.4" } }, { "package": { "ecosystem": "Go", "name": "github.com/rancher/wrangler" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "1.0.0" }, { "fixed": "1.0.1" } ] } ], "versions": [ "1.0.0" ] }, { "package": { "ecosystem": "Go", "name": "github.com/rancher/wrangler" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0.8.6" }, { "fixed": "0.8.11" } ] } ] } ], "references": [ { "type": "WEB", "url": "https://github.com/rancher/wrangler/security/advisories/GHSA-8fcj-gf77-47mg" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-43756" }, { "type": "WEB", "url": "https://github.com/rancher/wrangler/commit/341018c8fef3e12867c7cb2649bd2cecac75f287" }, { "type": "WEB", "url": "https://bugzilla.suse.com/show_bug.cgi?id=1205296" }, { "type": "ADVISORY", "url": "https://github.com/advisories/GHSA-8fcj-gf77-47mg" }, { "type": "WEB", "url": "https://github.com/rancher/rancher/security/policy" }, { "type": "PACKAGE", "url": "https://github.com/rancher/wrangler" }, { "type": "WEB", "url": "https://pkg.go.dev/vuln/GO-2023-1515" } ], "database_specific": { "cwe_ids": [ "CWE-150", "CWE-74" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2023-01-25T19:40:26Z", "nvd_published_at": "2023-02-07T13:15:00Z" } }