github.com/nektos/act is vulnerable to Privilege Escalation. The vulnerability exists in multiple functions of server.go
because the path inputs are not sanitized which allows an attacker to download and overwrite arbitrary files on the host.
CPE | Name | Operator | Version |
---|---|---|---|
github.com/nektos/act | le | v0.2.39 | |
github.com/nektos/act | le | v0.2.39 |
github.com/nektos/act/blob/master/pkg/artifacts/server.go#L65
github.com/nektos/act/blob/v0.2.35/pkg/artifacts/server.go#L245
github.com/nektos/act/blob/v0.2.35/pkg/artifacts/server.go#LL103C2-L103C2
github.com/nektos/act/commit/63ae215071f94569d910964bdee866d91d6e3a10
github.com/nektos/act/issues/1553
github.com/nektos/act/security/advisories/GHSA-pc99-qmg4-rcff
securitylab.github.com/advisories/GHSL-2023-004_act/