1351 matches found
CVE-2024-54132
The GitHub CLI is GitHub’s official command line tool. A security vulnerability has been identified in GitHub CLI that could create or overwrite files in unintended directories when users download a malicious GitHub Actions workflow artifact through gh run download. This vulnerability stems from ...
CVE-2024-54132
Summary: CVE-2024-54132 affects GitHub CLI (gh). When a user downloads a GitHub Actions workflow artifact named .. using gh run download, the artifact name and the --dir value determine the extraction path, causing files within the artifact to be extracted one directory higher than intended. This...
CVE-2024-54132 GitHub CLI allows downloading malicious GitHub Actions workflow artifact to result in path traversal vulnerability
The GitHub CLI is GitHub’s official command line tool. A security vulnerability has been identified in GitHub CLI that could create or overwrite files in unintended directories when users download a malicious GitHub Actions workflow artifact through gh run download. This vulnerability stems from ...
CVE-2024-54132 GitHub CLI allows downloading malicious GitHub Actions workflow artifact to result in path traversal vulnerability
The GitHub CLI is GitHub’s official command line tool. A security vulnerability has been identified in GitHub CLI that could create or overwrite files in unintended directories when users download a malicious GitHub Actions workflow artifact through gh run download. This vulnerability stems from ...
GitHub CLI 路径遍历漏洞
GitHub CLI is the GitHub CLI open source for GitHub on the command line. A path traversal vulnerability exists in GitHub CLI version 2.63.0 and earlier, which stems from the possibility that files may be created or overwritten in unintended directories when a user downloads a malicious GitHub...
CVE-2024-52587
A flaw was found in Harden-Runner. Multiple command injection weaknesses via environment variables were identified that could potentially be exploited under specific conditions. However, due to the current execution order of pre-steps in GitHub Actions and the placement of harden-runner as the...
Harden-Runner has a command injection weaknesses in `setup.ts` and `arc-runner.ts`
Summary Versions of step-security/harden-runner prior to v2.10.2 contain multiple command injection weaknesses via environment variables that could potentially be exploited under specific conditions. However, due to the current execution order of pre-steps in GitHub Actions and the placement of...
GHSA-G85V-WF27-67XC Harden-Runner has a command injection weaknesses in `setup.ts` and `arc-runner.ts`
Summary Versions of step-security/harden-runner prior to v2.10.2 contain multiple command injection weaknesses via environment variables that could potentially be exploited under specific conditions. However, due to the current execution order of pre-steps in GitHub Actions and the placement of...
CVE-2024-52587 Harden-Runner has command injection weaknesses in `setup.ts` and `arc-runner.ts`
StepSecurity's Harden-Runner provides network egress filtering and runtime security for GitHub-hosted and self-hosted runners. Versions of step-security/harden-runner prior to v2.10.2 contain multiple command injection weaknesses via environment variables that could potentially be exploited under...
CVE-2024-52587 Harden-Runner has command injection weaknesses in `setup.ts` and `arc-runner.ts`
StepSecurity's Harden-Runner provides network egress filtering and runtime security for GitHub-hosted and self-hosted runners. Versions of step-security/harden-runner prior to v2.10.2 contain multiple command injection weaknesses via environment variables that could potentially be exploited under...
CVE-2024-52587
The CVE applies to StepSecurity Harden-Runner. Versions prior to v2.10.2 contain multiple command-injection weaknesses via environment variables in setup.ts and arc-runner.ts, exploitable under specific conditions. However, the documentation notes that due to GitHub Actions pre-step execution ord...
GitHub Actions Vulnerable to Typosquatting, Exposing Developers to Hidden Malicious Code
Threat actors have long leveraged typosquatting as a means to trick unsuspecting users into visiting malicious websites or downloading booby-trapped software and packages. These attacks typically involve registering domains or packages with names slightly altered from their legitimate counterpart...
CVE-2024-42471 Arbitrary File Write via artifact extraction in actions/artifact
actions/artifact is the GitHub ToolKit for developing GitHub Actions. Versions of actions/artifact on the 2.x branch before 2.1.2 are vulnerable to arbitrary file write when using downloadArtifactInternal, downloadArtifactPublic, or streamExtractExternal for extracting a specifically crafted...
CVE-2024-42471 Arbitrary File Write via artifact extraction in actions/artifact
actions/artifact is the GitHub ToolKit for developing GitHub Actions. Versions of actions/artifact on the 2.x branch before 2.1.2 are vulnerable to arbitrary file write when using downloadArtifactInternal, downloadArtifactPublic, or streamExtractExternal for extracting a specifically crafted...
CVE-2024-42471 Arbitrary File Write via artifact extraction in actions/artifact
actions/artifact is the GitHub ToolKit for developing GitHub Actions. Versions of actions/artifact on the 2.x branch before 2.1.2 are vulnerable to arbitrary file write when using downloadArtifactInternal, downloadArtifactPublic, or streamExtractExternal for extracting a specifically crafted...
GitHub Actions Toolkit 路径遍历漏洞
GitHub Actions Toolkit is a Github Actions open source toolkit for GitHub Actions. A path traversal vulnerability exists in GitHub Actions Toolkit versions prior to 2.1.7. An attacker exploiting this vulnerability could read arbitrary files on the server running the application...
ArtiPACKED Flaw Exposed GitHub Actions to Token Leaks
Discover how GitHub Actions artifacts leak sensitive authentication tokens, exposing popular open-source projects to security risks. Learn about…...
GitHub Vulnerability 'ArtiPACKED' Exposes Repositories to Potential Takeover
A newly discovered attack vector in GitHub Actions artifacts dubbed ArtiPACKED could be exploited to take over repositories and gain access to organizations' cloud environments. "A combination of misconfigurations and security flaws can make artifacts leak tokens, both of third party cloud servic...
GitHub Actions Script Injection in `ultralytics/actions`
Summary The Ultralytics action available at https://github.com/marketplace/actions/ultralytics-actions is vulnerable to GitHub Actions script injection. If anyone uses the action within a workflow that runs on the pullrequesttarget trigger, then an attacker can inject arbitrary code into that...
GHSA-7X29-QQMQ-V6QC GitHub Actions Script Injection in `ultralytics/actions`
Summary The Ultralytics action available at https://github.com/marketplace/actions/ultralytics-actions is vulnerable to GitHub Actions script injection. If anyone uses the action within a workflow that runs on the pullrequesttarget trigger, then an attacker can inject arbitrary code into that...