Rancher: Command injection in Git package

CVE-2022-43758 is an OS Command Injection vulnerability found in the Git package of SUSE Rancher. The root cause is improper neutralization of special elements when executing Git commands, leading to confusion when handling crafted input [1][3]. This allows specially designed repository URLs or KDM configuration changes to inject arbitrary commands into the underlying Git binary execution path.

To exploit this vulnerability, an attacker must have the ability to add an untrusted Helm catalog or modify the URL configuration used to download KDM (Kontainer Driver Metadata) releases. By default, only Rancher administrators have permission to manage these configurations for the local cluster where Rancher is provisioned [3]. The attack surface includes the Catalogs menu for Helm charts and the KDM URL settings.

If successfully exploited, an attacker can achieve remote code execution on the host running Rancher, gaining full control over the container management platform and potentially the underlying infrastructure [1][3]. The impact is significant due to Rancher's role in managing Kubernetes clusters.

SUSE has released patched versions 2.5.17, 2.6.10, and 2.7.1, which address the vulnerability [3]. Affected users should upgrade immediately as no effective workaround exists beyond only adding trusted catalogs and KDM URLs [3]. Administrators should also ensure that any custom Go library implementations using Rancher's Git package are updated to patched versions.