GoogleOSV:GHSA-6Q32-HQ47-5QQ3@actions/artifact has an Arbitrary File Write via artifact extraction
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
AI Score
Confidence
High
EPSS
Percentile
21.9%
Impact
Versions of actions/artifact before 2.1.7 are vulnerable to arbitrary file write when using downloadArtifactInternal, downloadArtifactPublic, or streamExtractExternal for extracting a specifically crafted artifact that contains path traversal filenames.
Patches
Upgrade to version 2.1.7 or higher.
References
CVE
CVE-2024-42471
Credits
Justin Taft from Google
References
github.com/actions/download-artifact/blob/v3/package.json#L31
github.com/actions/toolkit
github.com/actions/toolkit/commit/29885a805ef3e95a9862dcaa8431c30981960017
github.com/actions/toolkit/pull/1602
github.com/actions/toolkit/pull/1724
github.com/actions/toolkit/security/advisories/GHSA-6q32-hq47-5qq3
nvd.nist.gov/vuln/detail/CVE-2024-42471
snyk.io/research/zip-slip-vulnerability
Related
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
AI Score
Confidence
High
EPSS
Percentile
21.9%