Lucene search

GitHub_MCVELIST:CVE-2023-42798

HistorySep 22, 2023 - 3:13 p.m.

CVE-2023-42798 AutomataCI Release Job Can Revert Repo to First Commit

2023-09-2215:13:48

CWE-20

GitHub_M

www.cve.org

automataci

vulnerability

git repository

patch

workaround

CVSS3

8.2

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:H

AI Score

9.4

Confidence

High

EPSS

0.001

Percentile

23.9%

JSON

AutomataCI is a template git repository equipped with a native built-in semi-autonomous CI tools. An issue in versions 1.4.1 and below can let a release job reset the git root repository to the first commit. Version 1.5.0 has a patch for this issue. As a workaround, make sure the PROJECT_PATH_RELEASE (e.g. releases/) directory is manually and actually git cloned properly, making it a different git repostiory from the root git repository.

CNA Affected

[
  {
    "vendor": "ChewKeanHo",
    "product": "AutomataCI",
    "versions": [
      {
        "version": "< 1.5.0",
        "status": "affected"
      }
    ]
  }
]

References

github.com/ChewKeanHo/AutomataCI/issues/93

github.com/ChewKeanHo/AutomataCI/security/advisories/GHSA-6q23-vhhg-8h89

CVSS3

8.2

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:H

AI Score

9.4

Confidence

High

EPSS

0.001

Percentile

23.9%

JSON

Related for CVELIST:CVE-2023-42798