Rancher/Wrangler: Denial of service when processing Git credentials
Description
Improper neutralization of special elements in git credentials in SUSE Rancher's wrangler library allows remote denial of service via crafted input.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Improper neutralization of special elements in git credentials in SUSE Rancher's wrangler library allows remote denial of service via crafted input.
The wrangler library, used by SUSE Rancher for Git operations, fails to properly neutralize special elements in output used by downstream Git commands. Specifically, when handling git credentials, specially crafted input can cause command injection or unexpected behavior, leading to denial of service [1][3].
A remote attacker can supply malicious git credentials to the affected component. No authentication is required because credentials are passed as parameters; the vulnerability is triggered during Git operations such as clone or ls-remote [3].
Successful exploitation results in denial of service, potentially crashing the application or exhausting system resources. The impact is limited to availability, as the injection is not designed for arbitrary code execution [3].
The issue has been patched in wrangler commit 341018c8fef3e12867c7cb2649bd2cecac75f287, which adds a -- separator to prevent argument injection and quotes environment variable expansion [4]. Affected versions include wrangler 0.7.3 and prior, 0.8.4 and prior, and 1.0.0 and prior. Users should update to the latest version for their Rancher release; see the wrangler version mapping in the repository [1].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/rancher/wranglerGo | < 0.7.4-security1 | 0.7.4-security1 |
github.com/rancher/wranglerGo | >= 0.8.0, < 0.8.5-security1 | 0.8.5-security1 |
github.com/rancher/wranglerGo | >= 1.0.0, < 1.0.1 | 1.0.1 |
github.com/rancher/wranglerGo | >= 0.8.6, < 0.8.11 | 0.8.11 |
Affected products
2Patches
11 file changed · +6 −6
pkg/git/git.go+6 −6 modified@@ -68,7 +68,7 @@ func (g *Git) LsRemote(branch string, commit string) (string, error) { } output := &bytes.Buffer{} - if err := g.gitCmd(output, "ls-remote", g.URL, formatRefForBranch(branch)); err != nil { + if err := g.gitCmd(output, "ls-remote", "--", g.URL, formatRefForBranch(branch)); err != nil { return "", err } @@ -97,9 +97,9 @@ func (g *Git) Head(branch string) (string, error) { // Clone runs git clone with depth 1 func (g *Git) Clone(branch string) error { if branch == "" { - return g.git("clone", "--depth=1", "-n", g.URL, g.Directory) + return g.git("clone", "--depth=1", "-n", "--", g.URL, g.Directory) } - return g.git("clone", "--depth=1", "-n", "--branch", branch, g.URL, g.Directory) + return g.git("clone", "--depth=1", "-n", "--branch="+branch, "--", g.URL, g.Directory) } // Update updates git repo if remote sha has changed @@ -302,22 +302,22 @@ func (g *Git) clone(branch string) error { } func (g *Git) fetchAndReset(rev string) error { - if err := g.git("-C", g.Directory, "fetch", "origin", rev); err != nil { + if err := g.git("-C", g.Directory, "fetch", "origin", "--", rev); err != nil { return err } return g.reset("FETCH_HEAD") } func (g *Git) reset(rev string) error { - return g.git("-C", g.Directory, "reset", "--hard", rev) + return g.git("-C", g.Directory, "reset", "--hard", "--", rev) } func (g *Git) currentCommit() (string, error) { return g.gitOutput("-C", g.Directory, "rev-parse", "HEAD") } func (g *Git) gitCmd(output io.Writer, args ...string) error { - kv := fmt.Sprintf("credential.helper=%s", "/bin/sh -c 'echo password=$GIT_PASSWORD'") + kv := fmt.Sprintf("credential.helper=%s", `/bin/sh -c 'echo "password=$GIT_PASSWORD"'`) cmd := exec.Command("git", append([]string{"-c", kv}, args...)...) cmd.Env = append(os.Environ(), fmt.Sprintf("GIT_PASSWORD=%s", g.password)) stderrBuf := &bytes.Buffer{}
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- github.com/advisories/GHSA-8fcj-gf77-47mgghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-43756ghsaADVISORY
- bugzilla.suse.com/show_bug.cgighsaWEB
- github.com/rancher/rancher/security/policyghsaWEB
- github.com/rancher/wrangler/commit/341018c8fef3e12867c7cb2649bd2cecac75f287ghsaWEB
- github.com/rancher/wrangler/security/advisories/GHSA-8fcj-gf77-47mgghsaWEB
- pkg.go.dev/vuln/GO-2023-1515ghsaWEB
News mentions
0No linked articles in our index yet.