CVE-2024-47179

{"id": "CVE-2024-47179", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}]}, "published": "2024-09-26T20:15:06.950", "references": [{"url": "https://codeql.github.com/codeql-query-help/javascript/js-actions-command-injection", "source": "security-advisories@github.com"}, {"url": "https://github.com/DIYgod/RSSHub/actions/runs/10141104413/job/28037643579#step:1:17", "source": "security-advisories@github.com"}, {"url": "https://github.com/DIYgod/RSSHub/blob/e08733f94c81440d19ee6a5fd5e915e9a65395f5/.github/workflows/docker-test-cont.yml", "source": "security-advisories@github.com"}, {"url": "https://github.com/DIYgod/RSSHub/commit/64e00e743aba2a239508fea97825994e3d687ecc", "source": "security-advisories@github.com"}, {"url": "https://github.com/DIYgod/RSSHub/security/advisories/GHSA-9mqc-fm24-h8cw", "source": "security-advisories@github.com"}, {"url": "https://securitylab.github.com/advisories/GHSL-2024-178_RSSHub", "source": "security-advisories@github.com"}, {"url": "https://securitylab.github.com/research/github-actions-preventing-pwn-requests", "source": "security-advisories@github.com"}, {"url": "https://securitylab.github.com/research/github-actions-untrusted-input", "source": "security-advisories@github.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-20"}]}], "descriptions": [{"lang": "en", "value": "RSSHub is an RSS network. Prior to commit 64e00e7, RSSHub's `docker-test-cont.yml` workflow is vulnerable to Artifact Poisoning, which could have lead to a full repository takeover. Downstream users of RSSHub are not vulnerable to this issue, and commit 64e00e7 fixed the underlying issue and made the repository no longer vulnerable. The `docker-test-cont.yml` workflow gets triggered when the `PR - Docker build test` workflow completes successfully. It then collects some information about the Pull Request that triggered the triggering workflow and set some labels depending on the PR body and sender. If the PR also contains a `routes` markdown block, it will set the `TEST_CONTINUE` environment variable to `true`. The workflow then downloads and extracts an artifact uploaded by the triggering workflow which is expected to contain a single `rsshub.tar.zst` file. However, prior to commit 64e00e7, it did not validate and the contents were extracted in the root of the workspace overriding any existing files. Since the contents of the artifact were not validated, it is possible for a malicious actor to send a Pull Request which uploads, not just the `rsshub.tar.zst` compressed docker image, but also a malicious `package.json` file with a script to run arbitrary code in the context of the privileged workflow. As of commit 64e00e7, this scenario has been addressed and the RSSHub repository is no longer vulnerable."}, {"lang": "es", "value": "RSSHub es una red RSS. Antes de el commit 64e00e7, el flujo de trabajo `docker-test-cont.yml` de RSSHub era vulnerable al envenenamiento de artefactos, lo que podr\u00eda haber llevado a una toma de control total del repositorio. Los usuarios posteriores de RSSHub no son vulnerables a este problema y el commit 64e00e7 solucion\u00f3 el problema subyacente e hizo que el repositorio ya no fuera vulnerable. El flujo de trabajo `docker-test-cont.yml` se activa cuando el flujo de trabajo `PR - Docker build test` se completa correctamente. Luego, recopila informaci\u00f3n sobre la solicitud de extracci\u00f3n que activ\u00f3 el flujo de trabajo desencadenante y establece algunas etiquetas seg\u00fan el cuerpo de la solicitud de extracci\u00f3n y el remitente. Si la solicitud de extracci\u00f3n tambi\u00e9n contiene un bloque de rebajas `routes`, establecer\u00e1 la variable de entorno `TEST_CONTINUE` en `true`. Luego, el flujo de trabajo descarga y extrae un artefacto cargado por el flujo de trabajo desencadenante que se espera que contenga un solo archivo `rsshub.tar.zst`. Sin embargo, antes de el commit 64e00e7, no se valid\u00f3 y el contenido se extrajo en la ra\u00edz del espacio de trabajo anulando cualquier archivo existente. Dado que el contenido del artefacto no se valid\u00f3, es posible que un actor malintencionado env\u00ede una solicitud de extracci\u00f3n que cargue, no solo la imagen de Docker comprimida `rsshub.tar.zst`, sino tambi\u00e9n un archivo `package.json` malicioso con un script para ejecutar c\u00f3digo arbitrario en el contexto del flujo de trabajo privilegiado. A partir de el commit 64e00e7, se ha abordado este escenario y el repositorio RSSHub ya no es vulnerable."}], "lastModified": "2024-10-02T20:15:11.627", "sourceIdentifier": "security-advisories@github.com"}