1360 matches found
CVE-2024-3924 Code Injection in huggingface/text-generation-inference
A code injection vulnerability exists in the huggingface/text-generation-inference repository, specifically within the autodocs.yml workflow file. The vulnerability arises from the insecure handling of the github.headref user input, which is used to dynamically construct a command for installing ...
nuclei_poc
Nuclei POCs Nuclei POCs, updated daily Chinesehttps://git...
Hyperledger: Code exec on Github runner via Pull request name
A command injection vulnerability was discovered in the GitHub Actions workflow of the Hyperledger Cacti repository. The vulnerability allowed an attacker to inject arbitrary commands and execute them on the GitHub runner by crafting a malicious pull request title. The vulnerability was present i...
AWS, Google, and Azure CLI Tools Could Leak Credentials in Build Logs
New cybersecurity research has found that command-line interface CLI tools from Amazon Web Services AWS and Google Cloud can expose sensitive credentials in build logs, posing significant risks to organizations. The vulnerability has been codenamed LeakyCLI by cloud security firm Orca. "Some...
CLI for Vela Insecure Variable Substitution
Impact Vela pipelines can use variable substitution combined with insensitive fields like parameters, image and entrypoint to inject secrets into a plugin/image and — by using common substitution string manipulation — can bypass log masking and expose secrets without the use of the commands block...
GHSA-4JHJ-3GV3-C3GR CLI for Vela Insecure Variable Substitution
Impact Vela pipelines can use variable substitution combined with insensitive fields like parameters, image and entrypoint to inject secrets into a plugin/image and — by using common substitution string manipulation — can bypass log masking and expose secrets without the use of the commands block...
Server/API for Vela Insecure Variable Substitution
Impact Vela pipelines can use variable substitution combined with insensitive fields like parameters, image and entrypoint to inject secrets into a plugin/image and — by using common substitution string manipulation — can bypass log masking and expose secrets without the use of the commands block...
GHSA-69P4-J5V5-X234 Server/API for Vela Insecure Variable Substitution
Impact Vela pipelines can use variable substitution combined with insensitive fields like parameters, image and entrypoint to inject secrets into a plugin/image and — by using common substitution string manipulation — can bypass log masking and expose secrets without the use of the commands block...
GHSA-7V38-W32M-WX4M Types for Vela Insecure Variable Substitution
Impact Vela pipelines can use variable substitution combined with insensitive fields like parameters, image and entrypoint to inject secrets into a plugin/image and — by using common substitution string manipulation — can bypass log masking and expose secrets without the use of the commands block...
Types for Vela Insecure Variable Substitution
Impact Vela pipelines can use variable substitution combined with insensitive fields like parameters, image and entrypoint to inject secrets into a plugin/image and — by using common substitution string manipulation — can bypass log masking and expose secrets without the use of the commands block...
Insecure Variable Substitution in Vela
Impact Vela pipelines can use variable substitution combined with insensitive fields like parameters, image and entrypoint to inject secrets into a plugin/image and — by using common substitution string manipulation — can bypass log masking and expose secrets without the use of the commands block...
Input validation
Vela is a Pipeline Automation CI/CD framework built on Linux container technology written in Golang. Vela pipelines can use variable substitution combined with insensitive fields like parameters, image and entrypoint to inject secrets into a plugin/image and — by using common substitution string...
CVE-2024-28236 Insecure Variable Substitution in Vela
Vela is a Pipeline Automation CI/CD framework built on Linux container technology written in Golang. Vela pipelines can use variable substitution combined with insensitive fields like parameters, image and entrypoint to inject secrets into a plugin/image and — by using common substitution string...
BIT-COSIGN-2022-36056 Vulnerabilities with blob verification in sigstore cosign
Cosign is a project under the sigstore organization which aims to make signatures invisible infrastructure. In versions prior to 1.12.0 a number of vulnerabilities have been found in cosign verify-blob, where Cosign would successfully verify an artifact when verification should have failed. First...
Authorization
An incorrect authorization vulnerability was identified in GitHub Enterprise Server that allowed an attacker to create new branches in public repositories and run arbitrary GitHub Actions workflows with permissions from the GITHUBTOKEN. To exploit this vulnerability, an attacker would need access...
CVE-2024-1482 Improper Authorization in GitHub Enterprise Server allowed unauthorized workflow execution
An incorrect authorization vulnerability was identified in GitHub Enterprise Server that allowed an attacker to create new branches in public repositories and run arbitrary GitHub Actions workflows with permissions from the GITHUBTOKEN. To exploit this vulnerability, an attacker would need access...
CVE-2024-1482 Improper Authorization in GitHub Enterprise Server allowed unauthorized workflow execution
An incorrect authorization vulnerability was identified in GitHub Enterprise Server that allowed an attacker to create new branches in public repositories and run arbitrary GitHub Actions workflows with permissions from the GITHUBTOKEN. To exploit this vulnerability, an attacker would need access...
Argus - A Framework for Staged Static Taint Analysis of GitHub Workflows and Actions
This repo contains the code for our USENIX Security '23 paper "ARGUS: A Framework for Staged Static Taint Analysis of GitHub Workflows and Actions". Argus is a comprehensive security analysis tool specifically designed for GitHub Actions. Built with an aim to enhance the security of CI/CD...
TensorFlow CI/CD Flaw Exposed Supply Chain to Poisoning Attacks
Continuous integration and continuous delivery CI/CD misconfigurations discovered in the open-source TensorFlow machine learning framework could have been exploited to orchestrate supply chain attacks. The misconfigurations could be abused by an attacker to "conduct a supply chain compromise of...
Malicious code in gh-action-send-event (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware b4f6d4e13a5a1a14537f878bfa2d4490b5606649326d77d4b88e205a010f124b Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...