Lucene search

K
githubGitHub Advisory DatabaseGHSA-F9QJ-7GH3-MHJ4
HistoryOct 19, 2022 - 6:54 p.m.

run-terraform allows for RCE via terraform plan

2022-10-1918:54:28
CWE-94
GitHub Advisory Database
github.com
8
vulnerability
run-terraform
rce
terraform plan
upgrade
malicious actor
github workflows

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS

0.002

Percentile

64.7%

Impact

What kind of vulnerability is it? Who is impacted?
All users of the run-terraform reusable workflow from the kartverket/github-workflows repo are affected. A malicious actor could potentially send a PR with a malicious payload leading to execution of arbitrary JavaScript code in the context of the workflow.

Patches

Has the problem been patched? What versions should users upgrade to?
Upgrade to at least 2.7.5 to resolve the issue.

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?
Until you are able to upgrade, make sure to review any PRs from exernal users for malicious payloads before allowing them to trigger a build.

For more information

If you have any questions or comments about this advisory:

Affected configurations

Vulners
Node
kartverketgithub-workflowsRange<2.7.5
VendorProductVersionCPE
kartverketgithub-workflows*cpe:2.3:a:kartverket:github-workflows:*:*:*:*:*:*:*:*

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS

0.002

Percentile

64.7%

Related for GHSA-F9QJ-7GH3-MHJ4