CVE-2023-30853 Gradle Build Action data written to GitHub Actions Cache may expose secrets

Gradle Build Action allows users to execute a Gradle Build in their GitHub Actions workflow. A vulnerability impacts GitHub workflows using the Gradle Build Action prior to version 2.4.2 that have executed the Gradle Build Tool with the configuration cache enabled, potentially exposing secrets...

PT-2023-23009 · Gradle +1 · Gradle Build Tool +1

Name of the Vulnerable Software and Affected Versions: Gradle Build Action versions prior to 2.4.2 Description: A vulnerability in the Gradle Build Action impacts GitHub workflows that have executed the Gradle Build Tool with the configuration cache enabled, potentially exposing secrets configure...

Gradle 信息泄露漏洞

Gradle is a set of JVM-based project building tools from the US company Gradle, which supports maven, Ivy repositories and more. An information disclosure vulnerability exists in Gradle versions prior to 2.4.2, which stems from the fact that data stored in the GitHub Actions cache can be read by...

Malicious Package

Overview vscode-github-actions is a malicious package. The package's name is based on existing repositories, namespaces, or components used by popular companies in an effort to trick employees into downloading it, also known as 'dependency confusion'. Therefore, you're only vulnerable if this...

MAL-2023-945 Malicious code in vscode-github-actions (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware d9186f60970b4228055c97ae3bbbf2c4691411f82c44db8033fc56d68cae50fa Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in vscode-github-actions (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware d9186f60970b4228055c97ae3bbbf2c4691411f82c44db8033fc56d68cae50fa Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Weblate: Testing flow includes a DeepSource secret

The testing workflow for the WeblateOrg/wlc repository included a DeepSource secret, which could have allowed a malicious actor to access parts of the repository and report artifacts to DeepSource. The recommended usage would have been to create a GitHub action environment secret and call it at...

GHSA-P756-RFXH-X63H Azure/setup-kubectl: Escalation of privilege vulnerability for v3 and lower

Impact This vulnerability only impacts versions v2 and lower. An insecure temporary creation of a file allows other actors on the Actions runner to replace the Kubectl binary created by this action because it is world writable. This Kubectl tool installer runs fs.chmodSynckubectlPath, 777 to set...

CVE-2022-46257

An information disclosure vulnerability was identified in GitHub Enterprise Server that allowed private repositories to be added to a GitHub Actions runner group via the API by a user who did not have access to those repositories, resulting in the repository names being shown in the UI. To exploi...

Information disclosure

An information disclosure vulnerability was identified in GitHub Enterprise Server that allowed private repositories to be added to a GitHub Actions runner group via the API by a user who did not have access to those repositories, resulting in the repository names being shown in the UI. To exploi...

CVE-2022-46257 Information disclosure in GitHub Enterprise Server leading to unauthorized viewing of private repository names

An information disclosure vulnerability was identified in GitHub Enterprise Server that allowed private repositories to be added to a GitHub Actions runner group via the API by a user who did not have access to those repositories, resulting in the repository names being shown in the UI. To exploi...

CVE-2022-46257 Information disclosure in GitHub Enterprise Server leading to unauthorized viewing of private repository names

An information disclosure vulnerability was identified in GitHub Enterprise Server that allowed private repositories to be added to a GitHub Actions runner group via the API by a user who did not have access to those repositories, resulting in the repository names being shown in the UI. To exploi...

CVE-2022-46257

CVE-2022-46257 describes an information-disclosure vulnerability in GitHub Enterprise Server that allowed private repositories to be added to a GitHub Actions runner group via the API by a user who lacked access to those repositories, causing repository names to appear in the UI. The attack would...

PT-2023-19310 · Microsoft · Azure/Setup-Kubectl

Name of the Vulnerable Software and Affected Versions: Azure/setup-kubectl versions prior to 3 Description: The issue arises from an insecure temporary creation of a file, allowing other actors on the Actions runner to replace the Kubectl binary created by this action because it is world writable...

CVE-2023-22381

A code injection vulnerability was identified in GitHub Enterprise Server that allowed setting arbitrary environment variables from a single environment variable value in GitHub Actions when using a Windows based runner. To exploit this vulnerability, an attacker would need existing permission to...

CVE-2023-22381

CVE-2023-22381 is a code injection vulnerability in GitHub Enterprise Server that allows setting arbitrary environment variables via a single env var value in GitHub Actions when running on Windows. The root cause is the insecure handling of environment variables in the Actions workflow context, ...

CVE-2023-22381 Code injection in GitHub Enterprise Server leading to arbitrary environment variables in GitHub Actions

A code injection vulnerability was identified in GitHub Enterprise Server that allowed setting arbitrary environment variables from a single environment variable value in GitHub Actions when using a Windows based runner. To exploit this vulnerability, an attacker would need existing permission to...

CVE-2023-22381 Code injection in GitHub Enterprise Server leading to arbitrary environment variables in GitHub Actions

A code injection vulnerability was identified in GitHub Enterprise Server that allowed setting arbitrary environment variables from a single environment variable value in GitHub Actions when using a Windows based runner. To exploit this vulnerability, an attacker would need existing permission to...

Researchers Hijack Popular NPM Package with Millions of Downloads

A popular npm package with more than 3.5 million weekly downloads has been found vulnerable to an account takeover attack. "The package can be taken over by recovering an expired domain name for one of its maintainers and resetting the password," software supply chain security company Illustria...

Path traversal

act is a project which allows for local running of github actions. The artifact server that stores artifacts from Github Action runs does not sanitize path inputs. This allows an attacker to download and overwrite arbitrary files on the host from a Github Action. This issue may lead to privilege...