GitHub Actions Vulnerability – Google Discloses Details
Details on a vulnerability impacting GitHub Actions surfaced this week by Google, following a 104-day disclosure deadline.
Firstly, The bug was identified by security researcher Felix Wilhelm of Google Project Zero, who reported it to GitHub on July 21. As per Google’s policy, information on the flaw was meant to be released after 90 days. But GitHub requested a 14-day grace period.
THE GitHub Actions VULNERABILITY
Tracked as CVE-2020-15228, the vulnerability is related to the use of the set-env. And add-path workflow commands, which will undergo disabling. GitHub has assigned the issue a moderate severity rating, but Google Project Zero says it’s high severity.
And also, The set-env command supported by the Github action runner enables the user to define arbitrary environment variables. And the security researcher discovered that the feature is highly susceptible to injection attacks.
“As the runner process parses every line printed to STDOUT looking for workflow commands. Every GitHub action that prints untrusted content as part of its execution is vulnerable. In most cases as we see, the ability to set arbitrary environment variables results in remote code execution as soon as another workflow upon execution,” Wilhelm notes.
MORE REPORTS
Furthermore, the issue, GitHub confirms, is that paths and environment variables can be injected into workflows that log with no trust for the data to stdout. All without the intention of the workflow author.
In an October 1 post, Microsoft as the owner of the platform revealed that the @actions/core npm module should be updated to version 1.2.6. Which updates the add path and export variable functions.
GitHub introduced a new set of files meant for the management of environment and path updates in workflows. To ensure that users can continue to dynamically set environment variables.
“The runner will release an update that disables the set-env and add-path workflow commands in the near future. For now, users should upgrade to @actions/core v1.2.6 or later. And also, replace any instance of the set-env or add-path commands in their workflows with the new Environment File Syntax,” GitHub explains.
Currently, Runner version 2.273.5 is already warning on the use of the add-path or set-env commands, and the plan is to fully disable them, GitHub said. Advice to users is to upgrade as soon as possible, as no workarounds have been identified.
Henceforth, WE WISH TO ANNOUNCE THAT OUR SERVICES ARE NOT AVAILABLE TO PEOPLE FROM NIGERIA AND INDIA. THESE ARE USELESS TIME WASTERS AND THIEVES TRYING TO BEG OR SCAM US OF OUR PRODUCTS. OUR SERVICES ARE NOT FREE AND PAYMENT IS UPFRONT
A LOT OF FOOLS FROM NIGERIA AND INDIA. on the off chance that YOU DON’T TRUST TO USE OUR SERVICES, DON’T CONTACT US AS WE HAVE NO FREE SERVICE
CONTACT US FOR PURCHASE/INQUIRIES, WE RESPOND ALMOST INSTANTLY
HI BUYERS, WE ARE A PROFESSIONAL CARDING AND HACKING TEAM. HOVATOOLS HAS BEEN AROUND SINCE THE TIME OF EVO MARKET, ALPHABAY, WALLSTREET MARKET AND MORE. WE REMAIN STRONG AND RELIABLE IN THE INDUSTRY, ALWAYS PROVIDING YOU WITH THE BEST QUALITY TOOLS TO HELP YOU MAKE MONEY AND MAXIMIZE PROFIT IN THE FRAUD GAME.
TO GET STARTED, YOU CAN VISIT OUR ONLINE SHOP/STORE TO BUY EVERYTHING YOU NEED TO START CASHING OUT. AT THE SHOP YOU GET Accounts & Bank Drops CVV & CARDS DUMPS PERSONAL INFORMATION & SCAN.
BANK HACKING SOFTWARE – WIRE/ACH DARKWEB MONEY TRANSFER HACKERS
Buy Fresh Credit Cards for Carding, BIN LIST Buy Bank Login, RDP, Buy Hacked Paypal accounts. Contact us to buy all tools and carding software. CLICK HERE TO VISIT OUR SHOP
Buy Socks 5, Email Leads, Buy Latest CC to Bitcoin Cashout Guide, Buy Hacked Zelle transfer , Western Union Money Transfer Hack, Buy Hacked Money Transfer service to your bank account.
Enroll for Paid private Carding Class.