Information disclosure

An information disclosure vulnerability was identified in GitHub Enterprise Server that allowed private repositories to be added to a GitHub Actions runner group via the API by a user who did not have access to those repositories, resulting in the repository names being shown in the UI. To exploi...

CVE-2022-46257 Information disclosure in GitHub Enterprise Server leading to unauthorized viewing of private repository names

An information disclosure vulnerability was identified in GitHub Enterprise Server that allowed private repositories to be added to a GitHub Actions runner group via the API by a user who did not have access to those repositories, resulting in the repository names being shown in the UI. To exploi...

CVE-2022-46257 Information disclosure in GitHub Enterprise Server leading to unauthorized viewing of private repository names

An information disclosure vulnerability was identified in GitHub Enterprise Server that allowed private repositories to be added to a GitHub Actions runner group via the API by a user who did not have access to those repositories, resulting in the repository names being shown in the UI. To exploi...

CVE-2022-46257

CVE-2022-46257 describes an information-disclosure vulnerability in GitHub Enterprise Server that allowed private repositories to be added to a GitHub Actions runner group via the API by a user who lacked access to those repositories, causing repository names to appear in the UI. The attack would...

PT-2023-19310 · Microsoft · Azure/Setup-Kubectl

Name of the Vulnerable Software and Affected Versions: Azure/setup-kubectl versions prior to 3 Description: The issue arises from an insecure temporary creation of a file, allowing other actors on the Actions runner to replace the Kubectl binary created by this action because it is world writable...

CVE-2023-22381

A code injection vulnerability was identified in GitHub Enterprise Server that allowed setting arbitrary environment variables from a single environment variable value in GitHub Actions when using a Windows based runner. To exploit this vulnerability, an attacker would need existing permission to...

CVE-2023-22381

CVE-2023-22381 is a code injection vulnerability in GitHub Enterprise Server that allows setting arbitrary environment variables via a single env var value in GitHub Actions when running on Windows. The root cause is the insecure handling of environment variables in the Actions workflow context, ...

CVE-2023-22381 Code injection in GitHub Enterprise Server leading to arbitrary environment variables in GitHub Actions

A code injection vulnerability was identified in GitHub Enterprise Server that allowed setting arbitrary environment variables from a single environment variable value in GitHub Actions when using a Windows based runner. To exploit this vulnerability, an attacker would need existing permission to...

CVE-2023-22381 Code injection in GitHub Enterprise Server leading to arbitrary environment variables in GitHub Actions

A code injection vulnerability was identified in GitHub Enterprise Server that allowed setting arbitrary environment variables from a single environment variable value in GitHub Actions when using a Windows based runner. To exploit this vulnerability, an attacker would need existing permission to...

Researchers Hijack Popular NPM Package with Millions of Downloads

A popular npm package with more than 3.5 million weekly downloads has been found vulnerable to an account takeover attack. "The package can be taken over by recovering an expired domain name for one of its maintainers and resetting the password," software supply chain security company Illustria...

Path traversal

act is a project which allows for local running of github actions. The artifact server that stores artifacts from Github Action runs does not sanitize path inputs. This allows an attacker to download and overwrite arbitrary files on the host from a Github Action. This issue may lead to privilege...

CVE-2023-22726 Unrestricted file upload leading to privilege escalation in act

act is a project which allows for local running of github actions. The artifact server that stores artifacts from Github Action runs does not sanitize path inputs. This allows an attacker to download and overwrite arbitrary files on the host from a Github Action. This issue may lead to privilege...

act 路径遍历漏洞

github act is a tool for running GitHub Actions locally. act suffers from a path traversal vulnerability that stems from the fact that path inputs are not cleaned up, leading to privilege escalation...

MAL-2023-474 Malicious code in github-actions-slack (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware b0838fb57bbc4692fe40f976eb83599cc51f263c1c3a3eb1b231cbb7939a34a3 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in github-actions-slack (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware b0838fb57bbc4692fe40f976eb83599cc51f263c1c3a3eb1b231cbb7939a34a3 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

LiuOS 安全漏洞

LiuOS is a small Python project designed to mimic the functionality of a regular operating system. A security vulnerability exists in versions of LiuOS prior to 0.1.1, which stems from a vulnerability that allows an attacker to set the GITHUBACTIONS environment variable to any value other than nu...

PT-2022-27790 · Liuos · Liuos

Name of the Vulnerable Software and Affected Versions: LiuOS versions 0.1.0 and prior Description: LiuOS is a small Python project that imitates the functions of a regular operating system. The issue allows an attacker to set the GITHUB ACTIONS environment variable to anything other than null or...

Installers generated by Squirrel.Windows may insecurely load Dynamic Link Libraries

Overview Squirrel.Windows is both a toolset and a library that provides installation and update functionality for Windows desktop applications. Installers generated by Squirrel.Windows contain an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries CWE-427...

Malware Strains Targeting Python and JavaScript Developers Through Official Repositories

An active malware campaign is targeting the Python Package Index PyPI and npm repositories for Python and JavaScript with typosquatted and fake modules that deploy a ransomware strain, marking the latest security issue to affect software supply chains. The typosquatted Python packages all...

CVE-2022-23740

CRITICAL: An improper neutralization of argument delimiters in a command vulnerability was identified in GitHub Enterprise Server that enabled remote code execution. To exploit this vulnerability, an attacker would need permission to create and build GitHub Pages using GitHub Actions. This...