CVE-2024-42471

2024-09-0218:15:35

CWE-22

GitHub_M

web.nvd.nist.gov

github

toolkit

vulnerability

arbitrary file write

upgrade

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

EPSS

0.001

Percentile

21.9%

JSON

actions/artifact is the GitHub ToolKit for developing GitHub Actions. Versions of actions/artifact before 2.1.7 are vulnerable to arbitrary file write when using downloadArtifactInternal, downloadArtifactPublic, or streamExtractExternal for extracting a specifically crafted artifact that contains path traversal filenames. Users are advised to upgrade to version 2.1.7 or higher. There are no known workarounds for this issue.

Affected configurations

Nvd

Vulners

Vulnrichment

Node

githubactions\/artifactRange2.0.0–2.1.7node.js

Node

githubactions_toolkitMatch-

VendorProductVersionCPE
githubactions\/artifact*cpe:2.3:a:github:actions\/artifact:*:*:*:*:*:node.js:*:*
githubactions_toolkit-cpe:2.3:a:github:actions_toolkit:-:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
github	actions\/artifact	*	cpe:2.3:a:github:actions\/artifact::::::node.js::*
github	actions_toolkit	-	cpe:2.3:a:github:actions_toolkit:-:::::::*

CNA Affected

[
  {
    "vendor": "actions",
    "product": "toolkit",
    "versions": [
      {
        "version": "< 2.1.7",
        "status": "affected"
      }
    ]
  }
]