CVE-2022-31249
Improper Neutralization of Special Elements used in a Command ('Command Injection') (CWE-77)
Published: Jan 25, 2023
010
CVSS 9.8EPSS 0.12%Critical
CVE info copied to clipboard
A Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in wrangler of SUSE Rancher allows remote attackers to inject commands in the underlying host via crafted commands passed to Wrangler. This issue affects: SUSE Rancher wrangler version 0.7.3 and prior versions; wrangler version 0.8.4 and prior versions; wrangler version 1.0.0 and prior versions.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Timeline
First Article
Feedly found the first article mentioning CVE-2022-31249. See article
Jan 25, 2023 at 5:39 AM / forums.rancher.com
EPSS
EPSS Score was set to: 0.12% (Percentile: 45.4%)
Sep 22, 2023 at 2:31 AM
Affected Systems
Suse/wrangler
+null more
Patches
Github Advisory
+null more
Attack Patterns
CAPEC-136: LDAP Injection
+null more
Vendor Advisory
Command injection in Git package in Wrangler
Specially crafted commands can be passed to Wrangler that will change their behavior and cause confusion when executed through Git, resulting in command injection in the underlying host. A command injection vulnerability was discovered in Wrangler's Git package affecting versions up to and including v1.0.0.
References
VUL-0: CVE-2022-31249: [RANCHER] OS command injection in Rancher and Fleet
First Last Prev Next This bug is not in your last search results. First Last Prev Next This bug is not in your last search results.
News
OS command injection in rancher wrangler
The vulnerability allows a remote attacker to execute arbitrary shell commands on the target system. A remote unauthenticated attacker can pass specially crafted data to the application and execute arbitrary OS commands on the target system.
The State of Go Fuzzing - Did we already reach the peak?
Given these features, traditional fuzzing techniques aimed at uncovering memory corruption issues, such as buffer overflows and dangling pointers, are less effective in Go. Instead, the focus should be on higher-level logic errors, improper input handling, and other application-level vulnerabilities, like we have also seen in the glimpse of the recent CVEs earlier. There exists go-118-fuzz-build, a continuation of, which again aims to support compiling native Golang fuzzers down to a libfuzzer target.
Vulnerability Summary for the Week of February 6, 2023
weblabyrinth — weblabyrinth A vulnerability classified as critical has been found in weblabyrinth 0.3.1. This affects the function Labyrinth of the file labyrinth.inc.php. The manipulation leads to sql injection. Upgrading to version 0.3.2 is able to address this issue. The name of the patch is 60793fd8c8c4759596d3510641e96ea40e7f60e9. It is recommended to upgrade the affected component. The identifier VDB-220221 was assigned to this vulnerability. 2023-02-07 not yet calculated CVE-2011-10002 MISC MISC MISC MISC MISC xpressengine — xpressengine A vulnerability was found in XpressEngine up to 1.4.4. It has been rated as critical. This issue affects some unknown processing of the component Update Query Handler.
ubuntu-cve-tracker - [no description]
+ `sasl.jaas.config` property for any of the connector's Kafka clients to + properties in connector configurations for Kafka Connect clusters running
CVE-2022-31249
- CVSS Scores & Vulnerability Types If the vulnerability is created recently it may take a few days to gather vulnerable products list and other information like cvss scores.
See 13 more articles and social media posts