CVE-2022-25856 The package github.com/argoproj/argo-events/sensors/artifacts before 1.7.1 has a vulnerability that allows for Directory Traversal.
/home/user>/.github/ or /etc/passwd if the --bare option is provided.
[Additionally, this issue applies to the events package, but has not yet been reported.]
Git before version 1.9.9 is vulnerable to Directory Traversal in the (g *GitArtifactReader).Read() API in git.go. This could allow arbitrary file reads if the GitArtifactReader is provided a pathname containing a symbolic link or an implicit directory name such as ...
An attacker can obtain sensitive information such as SSH keys, other user credentials, or private messages by reading an inputstream. This is a low-severity issue, as it requires a user to deliberately click a link to an attacker-controlled website in order to exploit the vulnerability. An attacker can obtain sensitive information such as SSH keys, other user credentials, or private messages by reading an inputstream. This is a low-severity issue, as it requires a user to deliberately click a link to an attacker-controlled website in order to exploit the vulnerability.
Additionally, this issue applies to the events package, but has not yet been reported. An attacker can obtain sensitive information such as SSH keys, other user credentials, or private messages by reading an inputstream. This is a low-severity issue, as it requires a user to deliberately click a link to an attacker-controlled website in order to exploit the vulnerability. Additionally, this issue applies
Solution and Workaround
In order to mitigate this vulnerability, the attacker would have to persuade a user to click a link which would be difficult for an attacker to do.
Dependencies
This issue has been reported in the Git before version 1.9.9, but it is not yet known if it affects other git versions.
Git before version 1.9.9 is vulnerable to Directory Traversal in the (g *GitArtifactReader).Read() API in git.go. This could allow arbitrary file reads if the GitArtifactReader is provided a pathname containing a symbolic link or an implicit directory name such as ...
Timeline
Published on: 06/17/2022 20:15:00 UTC
Last modified on: 06/28/2022 14:54:00 UTC