7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-31249

GHSA ID

GHSA-qrg7-hfx7-95c5

EPSS Score

0.7988%

CWE

CWE-77

Published

1/25/2023

Updated

6/13/2023

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-31249

CVE-2022-31249: Command injection in Git package in Wrangler

Impact

A command injection vulnerability was discovered in Wrangler's Git package affecting versions up to and including v1.0.0.

Wrangler's Git package uses the underlying Git binary present in the host OS or container image to execute Git operations. Specially crafted commands can be passed to Wrangler that will change their behavior and cause confusion when executed through Git, resulting in command injection in the underlying host.

Workarounds

A workaround is to sanitize input passed to the Git package to remove potential unsafe and ambiguous characters. Otherwise, the best course of action is to update to a patched Wrangler version.

Patches

Patched versions include v1.0.1 and later and the backported tags - v0.7.4-security1, v0.8.5-security1 and v0.8.11.

For more information

If you have any questions or comments about this advisory:

Reach out to SUSE Rancher Security team for security related inquiries.
Open an issue in Rancher or Wrangler repository.
Verify our support matrix and product support lifecycle.

(GitHub Advisory)

7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-31249

GHSA ID

GHSA-qrg7-hfx7-95c5

EPSS Score

0.7988%

CWE

CWE-77

Published

1/25/2023

Updated

6/13/2023

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/rancher/wrangler	go	>= 0.8.6, < 0.8.11	0.8.11
github.com/rancher/wrangler	go	= 1.0.0	1.0.1
github.com/rancher/wrangler	go	< 0.7.4-security1	0.7.4-security1
github.com/rancher/wrangler	go	>= 0.8.0, < 0.8.5-security1	0.8.5-security1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from improper argument handling in Git command construction. The commit patches show critical additions of '--' argument separators and quoting fixes in multiple functions. These changes directly address command/argument injection vectors by: 1) Preventing user-controlled values (branch names, revisions) from being interpreted as Git options/flags, and 2) Fixing shell injection in credential helper configuration. The functions modified in the security patches are clearly identified as the vulnerable points where these injection vectors existed.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t * *omm*n* inj**tion vuln*r**ility w*s *is*ov*r** in Wr*n*l*r's *it p**k*** *****tin* v*rsions up to *n* in*lu*in* `v*.*.*`. Wr*n*l*r's *it p**k*** us*s t** un**rlyin* *it *in*ry pr*s*nt in t** *ost OS or *ont*in*r im*** to *x**ut* *it op

Reasoning

T** vuln*r**ility st*ms *rom improp*r *r*um*nt **n*lin* in *it *omm*n* *onstru*tion. T** *ommit p*t***s s*ow *riti**l ***itions o* '--' *r*um*nt s*p*r*tors *n* quotin* *ix*s in multipl* *un*tions. T**s* ***n**s *ir**tly ***r*ss *omm*n*/*r*um*nt inj**

7.5

Basic Information

Concerned about an active attack path?

CVE-2022-31249: Command injection in Git package in Wrangler

Impact

Workarounds

Patches

For more information

7.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI