CVE-2022-25856 The package github.com/argoproj/argo-events/sensors/artifacts before 1.7.1 has a vulnerability that allows for Directory Traversal.

CVE-2022-25856 The package github.com/argoproj/argo-events/sensors/artifacts before 1.7.1 has a vulnerability that allows for Directory Traversal.

/home/user>/.github/ or /etc/passwd if the --bare option is provided.

[Additionally, this issue applies to the events package, but has not yet been reported.]

Git before version 1.9.9 is vulnerable to Directory Traversal in the (g *GitArtifactReader).Read() API in git.go. This could allow arbitrary file reads if the GitArtifactReader is provided a pathname containing a symbolic link or an implicit directory name such as ...

An attacker can obtain sensitive information such as SSH keys, other user credentials, or private messages by reading an inputstream. This is a low-severity issue, as it requires a user to deliberately click a link to an attacker-controlled website in order to exploit the vulnerability. An attacker can obtain sensitive information such as SSH keys, other user credentials, or private messages by reading an inputstream. This is a low-severity issue, as it requires a user to deliberately click a link to an attacker-controlled website in order to exploit the vulnerability.

Additionally, this issue applies to the events package, but has not yet been reported. An attacker can obtain sensitive information such as SSH keys, other user credentials, or private messages by reading an inputstream. This is a low-severity issue, as it requires a user to deliberately click a link to an attacker-controlled website in order to exploit the vulnerability. Additionally, this issue applies

Solution and Workaround

In order to mitigate this vulnerability, the attacker would have to persuade a user to click a link which would be difficult for an attacker to do.

Dependencies

This issue has been reported in the Git before version 1.9.9, but it is not yet known if it affects other git versions.

Git before version 1.9.9 is vulnerable to Directory Traversal in the (g *GitArtifactReader).Read() API in git.go. This could allow arbitrary file reads if the GitArtifactReader is provided a pathname containing a symbolic link or an implicit directory name such as ...

References

Subscribe to CVE.news
Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.
jamie@example.com
Subscribe