CVE-2022-25856

Source

https://nvd.nist.gov/vuln/detail/CVE-2022-25856

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-25856.json

Aliases

GHSA-qpgx-64h2-gc3c
GO-2022-0492
SNYK-GOLANG-GITHUBCOMARGOPROJARGOEVENTSSENSORSARTIFACTS-2864522

Published

2022-06-17T20:15:10Z

Modified

2023-11-29T09:30:49.935062Z

Details

The package github.com/argoproj/argo-events/sensors/artifacts before 1.7.1 are vulnerable to Directory Traversal in the (g *GitArtifactReader).Read() API in git.go. This could allow arbitrary file reads if the GitArtifactReader is provided a pathname containing a symbolic link or an implicit directory name such as ...

References

Affected packages

Git / github.com/argoproj/argo-events

Affected ranges

Type: GIT
Repo: https://github.com/argoproj/argo-events
Events: Introduced

0The exact introduced commit is unknown

Fixed

d0f66dbce78bc31923ca057b20fc722aa24ca961

Affected versions

v.*

v.0.9

v0.*

v0.10

v0.11

v0.12

v0.12-rc

v0.13.0

v0.13.0-rc

v0.14.0

v0.15.0

v0.16.0

v0.17.0

v0.5

v0.5-alpha1

v0.5-beta1

v0.6

v0.7

v0.8

v0.8.1

v0.8.2

v0.8.3

v0.9.1

v0.9.2

v0.9.3

v1.*

v1.7.0

v1.7.0-rc1