Lucene search

GitHub Advisory DatabaseGHSA-CXWW-7G56-2VH6

HistorySep 03, 2024 - 8:55 p.m.

@actions/download-artifact has an Arbitrary File Write via artifact extraction

2024-09-0320:55:34

CWE-22

GitHub Advisory Database

github.com

arbitrary file write

zip slip vulnerability

path traversal

upgrade

cve-2024-42471

google

artifact extraction

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

EPSS

0.001

Percentile

21.9%

JSON

Impact

Versions of actions/download-artifact before 4.1.7 are vulnerable to arbitrary file write when downloading and extracting a specifically crafted artifact that contains path traversal filenames.

Patches

Upgrade to version 4.1.7 or higher. Alternatively use ‘v4’ tag which points to the latest and secure version.

References

CVE

CVE-2024-42471

Credits

Justin Taft from Google

Affected configurations

Vulners

Node

actionsdownload-artifactRange4.0.0–4.1.7

VendorProductVersionCPE
actionsdownload-artifact*cpe:2.3:a:actions:download-artifact:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
actions	download-artifact	*	cpe:2.3:a:actions:download-artifact::::::::

References

github.com/actions/download-artifact/releases/tag/v4.1.7

github.com/actions/download-artifact/security/advisories/GHSA-cxww-7g56-2vh6

github.com/advisories/GHSA-6q32-hq47-5qq3

github.com/advisories/GHSA-cxww-7g56-2vh6

snyk.io/research/zip-slip-vulnerability

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

EPSS

0.001

Percentile

21.9%

JSON

Related for GHSA-CXWW-7G56-2VH6