CVE-2022-31249 — OS Command Injection in Rancher Wrangler

CWE-78 — OS Command Injection CWE-77 — Command Injection CWE-88 — Argument Injection5 documents4 sources

Severity

9.8CRITICALNVD

CNA7.5

EPSS

1.2%

top 20.94%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Github.com Rancher Wrangler Suse Wrangler Suse Rancher

Timeline

PublishedFeb 7

Latest updateFeb 14

Description

A Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in wrangler of SUSE Rancher allows remote attackers to inject commands in the underlying host via crafted commands passed to Wrangler. This issue affects: SUSE Rancher wrangler version 0.7.3 and prior versions; wrangler version 0.8.4 and prior versions; wrangler version 1.0.0 and prior versions.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages3 packages

▶NVDsuse/wrangler0.8.0 — 0.8.5+2

▶Gogithub.com/rancher_wrangler0.8.0 — 0.8.5-security1+3

▶CVEListV5suse/rancherwrangler — 0.7.3

🔴Vulnerability Details

OSV

Command injection in github.com/rancher/wrangler↗2023-02-14

▶

CVEList

[RANCHER] OS command injection in Rancher and Fleet↗2023-02-07

▶

OSV

Command injection in Git package in Wrangler↗2023-01-25

▶

GHSA

Command injection in Git package in Wrangler↗2023-01-25

▶