CVE-2022-31249
published 2023-02-07CVE-2022-31249: A Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in wrangler of SUSE Rancher allows remote attackers…
PriorityP267critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
3.76%
88.5th percentile
A Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in wrangler of SUSE Rancher allows remote attackers to inject commands in the underlying host via crafted commands passed to Wrangler. This issue affects: SUSE Rancher wrangler version 0.7.3 and prior versions; wrangler version 0.8.4 and prior versions; wrangler version 1.0.0 and prior versions.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | rancher_wrangler | >= 0 < 0.7.4-security1 | 0.7.4-security1 |
| github.com | rancher_wrangler | >= 0.8.0 < 0.8.5-security1 | 0.8.5-security1 |
| github.com | rancher_wrangler | >= 0.8.6 < 0.8.11 | 0.8.11 |
| github.com | rancher_wrangler | >= 1.0.0 < 1.0.1 | 1.0.1 |
| suse | rancher | wrangler – 0.7.3 | — |
| suse | wrangler | < 0.7.4 | 0.7.4 |
| suse | wrangler | — | — |
| suse | wrangler | >= 0.8.0 < 0.8.5 | 0.8.5 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Command injection in github.com/rancher/wrangler
osv·2023-02-14
CVE-2022-31249 Command injection in github.com/rancher/wrangler
Command injection in github.com/rancher/wrangler
A command injection vulnerability exists in the Wrangler Git package. Specially crafted commands can be passed to Wrangler that will change their behavior and cause confusion when executed through Git, resulting in command injection in the underlying host.
A workaround is to sanitize input passed to the Git package to remove potential unsafe and ambiguous characters. Otherwise, the best course of action is to update to a patched Wrangler version.
OSV
Command injection in Git package in Wrangler
osv·2023-01-25
CVE-2022-31249 [HIGH] Command injection in Git package in Wrangler
Command injection in Git package in Wrangler
### Impact
A command injection vulnerability was discovered in Wrangler's Git package affecting versions up to and including `v1.0.0`.
Wrangler's Git package uses the underlying Git binary present in the host OS or container image to execute Git operations. Specially crafted commands can be passed to Wrangler that will change their behavior and cause confusion when executed through Git, resulting in command injection in the underlying host.
### Workarounds
A workaround is to sanitize input passed to the Git package to remove potential unsafe and ambiguous characters. Otherwise, the best course of action is to update to a patched Wrangler version.
### Patches
Patched versions include `v1.0.1` and later and the backported tags - `v0.7.4-sec
GHSA
Command injection in Git package in Wrangler
ghsa·2023-01-25
CVE-2022-31249 [HIGH] CWE-77 Command injection in Git package in Wrangler
Command injection in Git package in Wrangler
### Impact
A command injection vulnerability was discovered in Wrangler's Git package affecting versions up to and including `v1.0.0`.
Wrangler's Git package uses the underlying Git binary present in the host OS or container image to execute Git operations. Specially crafted commands can be passed to Wrangler that will change their behavior and cause confusion when executed through Git, resulting in command injection in the underlying host.
### Workarounds
A workaround is to sanitize input passed to the Git package to remove potential unsafe and ambiguous characters. Otherwise, the best course of action is to update to a patched Wrangler version.
### Patches
Patched versions include `v1.0.1` and later and the backported tags - `v0.7.4-sec
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2023-02-07
Published