PT-2024-29282 · Unknown · Monkeytype

🗓️ 17 Feb 2024 00:00:00Reported by Positive TechnologiesType

ptsecurity

ptsecurity🔗 dbugs.ptsecurity.com👁 3 Views

Code injection in Monkeytype workflow risks PR write access; upgrade to 24.30.0.

Reporter	Title	Published	Views	Family All 8
Circl	CVE-2024-41127	2 Aug 202418:11	–	circl
CNNVD	Monkeytype 安全漏洞	2 Aug 202400:00	–	cnnvd
CVE	CVE-2024-41127	2 Aug 202414:46	–	cve
Cvelist	CVE-2024-41127 Monkeytype is vulnerable to Poisoned Pipeline Execution through Code Injection in its `ci-failure-comment.yml` GitHub Workflow, enabling attackers to gain `pull-requests` write access.	2 Aug 202414:46	–	cvelist
EUVD	EUVD-2024-38940	3 Oct 202520:07	–	euvd
NVD	CVE-2024-41127	2 Aug 202415:16	–	nvd
OSV	CVE-2024-41127 Monkeytype is vulnerable to Poisoned Pipeline Execution through Code Injection in its `ci-failure-comment.yml` GitHub Workflow, enabling attackers to gain `pull-requests` write access.	2 Aug 202414:46	–	osv
Vulnrichment	CVE-2024-41127 Monkeytype is vulnerable to Poisoned Pipeline Execution through Code Injection in its `ci-failure-comment.yml` GitHub Workflow, enabling attackers to gain `pull-requests` write access.	2 Aug 202414:46	–	vulnrichment

Source	Link
securitylab	www.securitylab.github.com/advisories/GHSL-2024-167_monkeytype
github	www.github.com/monkeytypegame/monkeytype/commit/29627fd0d5f152e2da59671987090ea0a5c29874
github	www.github.com/monkeytypegame/monkeytype/security/advisories/GHSA-wcjf-5464-4wq9
nvd	www.nvd.nist.gov/vuln/detail/CVE-2024-41127
osv	www.osv.dev/vulnerability/CVE-2024-41127
twitter	www.twitter.com/Tcurryme/status/1758886292887110110
t	www.t.me/cvenotify/89197
twitter	www.twitter.com/oktsec/status/1823422834393133539
t	www.t.me/cvenotify/94174
t	www.t.me/cvedetector/2354

11 Sep 2024 00:00Current

7.7High risk

Vulners AI Score7.7

CVSS 3.18.3 - 9.6

EPSS0.01082

SSVC

poisoned pipeline execution code injection monkeytype ci failure workflow pull request access before 24.30.0