Lucene search
Veracode Vulnerability DatabaseVERACODE:39023HistoryJan 26, 2023 - 3:55 p.m.
Privilege Escalation
2023-01-2615:55:14
Veracode Vulnerability Database
sca.analysiscenter.veracode.com
5
privilege escalation
github.com/nektos/act
vulnerability
server.go
path inputs
arbitrary files
software
0.003 Low
EPSS
Percentile
69.5%
github.com/nektos/act is vulnerable to Privilege Escalation. The vulnerability exists in multiple functions of server.go because the path inputs are not sanitized which allows an attacker to download and overwrite arbitrary files on the host.
| CPE | Name | Operator | Version |
|---|---|---|---|
| github.com/nektos/act | le | v0.2.39 | |
| github.com/nektos/act | le | v0.2.39 |
References
github.com/nektos/act/blob/master/pkg/artifacts/server.go#L65
github.com/nektos/act/blob/v0.2.35/pkg/artifacts/server.go#L245
github.com/nektos/act/blob/v0.2.35/pkg/artifacts/server.go#LL103C2-L103C2
github.com/nektos/act/commit/63ae215071f94569d910964bdee866d91d6e3a10
github.com/nektos/act/issues/1553
github.com/nektos/act/security/advisories/GHSA-pc99-qmg4-rcff
securitylab.github.com/advisories/GHSL-2023-004_act/
Related
cvelist
cvelist
osv
osv
act vulnerable to arbitrary file upload in artifact server
2023-01-20 16:00:36
CVE-2023-22726
2023-01-20 22:15:10
nvd
nvd
CVE-2023-22726
2023-01-20 22:15:10
cve
cve
CVE-2023-22726
2023-01-20 22:15:10
prion
prion
Path traversal
2023-01-20 22:15:00
github
github
act vulnerable to arbitrary file upload in artifact server
2023-01-20 16:00:36