1360 matches found
CVE-2023-22726 Unrestricted file upload leading to privilege escalation in act
act is a project which allows for local running of github actions. The artifact server that stores artifacts from Github Action runs does not sanitize path inputs. This allows an attacker to download and overwrite arbitrary files on the host from a Github Action. This issue may lead to privilege...
act 路径遍历漏洞
github act is a tool for running GitHub Actions locally. act suffers from a path traversal vulnerability that stems from the fact that path inputs are not cleaned up, leading to privilege escalation...
MAL-2023-474 Malicious code in github-actions-slack (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware b0838fb57bbc4692fe40f976eb83599cc51f263c1c3a3eb1b231cbb7939a34a3 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
Malicious code in github-actions-slack (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware b0838fb57bbc4692fe40f976eb83599cc51f263c1c3a3eb1b231cbb7939a34a3 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
PT-2022-27790 · Liuos · Liuos
Name of the Vulnerable Software and Affected Versions: LiuOS versions 0.1.0 and prior Description: LiuOS is a small Python project that imitates the functions of a regular operating system. The issue allows an attacker to set the GITHUB ACTIONS environment variable to anything other than null or...
LiuOS 安全漏洞
LiuOS is a small Python project designed to mimic the functionality of a regular operating system. A security vulnerability exists in versions of LiuOS prior to 0.1.1, which stems from a vulnerability that allows an attacker to set the GITHUBACTIONS environment variable to any value other than nu...
Installers generated by Squirrel.Windows may insecurely load Dynamic Link Libraries
Overview Squirrel.Windows is both a toolset and a library that provides installation and update functionality for Windows desktop applications. Installers generated by Squirrel.Windows contain an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries CWE-427...
Malware Strains Targeting Python and JavaScript Developers Through Official Repositories
An active malware campaign is targeting the Python Package Index PyPI and npm repositories for Python and JavaScript with typosquatted and fake modules that deploy a ransomware strain, marking the latest security issue to affect software supply chains. The typosquatted Python packages all...
CVE-2022-23740
CRITICAL: An improper neutralization of argument delimiters in a command vulnerability was identified in GitHub Enterprise Server that enabled remote code execution. To exploit this vulnerability, an attacker would need permission to create and build GitHub Pages using GitHub Actions. This...
CVE-2022-23740
CRITICAL: An improper neutralization of argument delimiters in a command vulnerability was identified in GitHub Enterprise Server that enabled remote code execution. To exploit this vulnerability, an attacker would need permission to create and build GitHub Pages using GitHub Actions. This...
Design/Logic Flaw
CRITICAL: An improper neutralization of argument delimiters in a command vulnerability was identified in GitHub Enterprise Server that enabled remote code execution. To exploit this vulnerability, an attacker would need permission to create and build GitHub Pages using GitHub Actions. This...
CVE-2022-23740 Improper Neutralization of Argument Delimiters in a Command in GitHub Enterprise Server leading to Remote Code Execution
CRITICAL: An improper neutralization of argument delimiters in a command vulnerability was identified in GitHub Enterprise Server that enabled remote code execution. To exploit this vulnerability, an attacker would need permission to create and build GitHub Pages using GitHub Actions. This...
PT-2022-16243 · Github · Github Enterprise Server
Name of the Vulnerable Software and Affected Versions: GitHub Enterprise Server version 3.7.0 Description: An improper neutralization of argument delimiters in a command vulnerability was identified in GitHub Enterprise Server that enabled remote code execution. To exploit this vulnerability, an...
GHSA-2C6M-6GQH-6QG3 Docker Command Escaping in the GitHub Actions Runner
Impact The actions runner invokes the docker cli directly in order to run job containers, service containers, or container actions. A bug in the logic for how the environment is encoded into these docker commands was discovered that allows an input to escape the environment variable and modify th...
Docker Command Escaping in the GitHub Actions Runner
Impact The actions runner invokes the docker cli directly in order to run job containers, service containers, or container actions. A bug in the logic for how the environment is encoded into these docker commands was discovered that allows an input to escape the environment variable and modify th...
CVE-2022-39326
kartverket/github-workflows are shared reusable workflows for GitHub Actions. Prior to version 2.7.5, all users of the run-terraform reusable workflow from the kartverket/github-workflows repo are affected by a code injection vulnerability. A malicious actor could potentially send a PR with a...
CVE-2022-39321
GitHub Actions Runner is the application that runs a job from a GitHub Actions workflow. The actions runner invokes the docker cli directly in order to run job containers, service containers, or container actions. A bug in the logic for how the environment is encoded into these docker commands wa...
Command injection
GitHub Actions Runner is the application that runs a job from a GitHub Actions workflow. The actions runner invokes the docker cli directly in order to run job containers, service containers, or container actions. A bug in the logic for how the environment is encoded into these docker commands wa...
Code injection
kartverket/github-workflows are shared reusable workflows for GitHub Actions. Prior to version 2.7.5, all users of the run-terraform reusable workflow from the kartverket/github-workflows repo are affected by a code injection vulnerability. A malicious actor could potentially send a PR with a...
CVE-2022-39326 kartverket/github-workflows's run-terraform allows for RCE via terraform plan
kartverket/github-workflows are shared reusable workflows for GitHub Actions. Prior to version 2.7.5, all users of the run-terraform reusable workflow from the kartverket/github-workflows repo are affected by a code injection vulnerability. A malicious actor could potentially send a PR with a...