GitHub Actions, Arbitrary Code Injection, CVE-2024-32004 (Critical)

By /

Listen to this Post

The vulnerability CVE-2024-32004 exists in the `j178/prek-action` due to unsafe handling of user-supplied inputs within a composite GitHub Action. A composite action groups multiple workflow steps into a single reusable action, defined in an `action.yml` file. This specific action fails to properly sanitize the inputs prek-version, extra_args, and `extra-args` before passing them to a `run` command using the `bash` shell. Because these inputs are incorporated directly into the shell command without proper escaping or validation, an attacker can craft malicious input that breaks out of the intended command context. By injecting shell metacharacters like backticks, dollar parentheses $(), or semicolons ;, an attacker can execute arbitrary commands on the runner. This occurs during workflow execution, granting the injected code the same permissions as the workflow itself, which could include access to sensitive secrets like `GITHUB_TOKEN` and other repository data. The exploit is particularly dangerous because the action continues to execute its intended function, making the malicious activity less noticeable.
Platform: GitHub Actions
Version: v1.0.5

Vulnerability : Code Injection

Severity: Critical

date: 2024-05-21

Prediction: Patch expected 2024-05-28

What Undercode Say:

Example of a malicious input exploiting the vulnerability
prek-version: '0.2.2"; cat /etc/passwd '
Command to check if your workflow used a vulnerable version
grep -r "j178/[email protected]" .github/workflows/
Script to scan for potential shell injection patterns in workflows
grep -n "inputs." .github/workflows/.yml | grep -E "(prek-version|extra_args)"

How Exploit:

Attacker controls input variables.

Inputs are passed unsanitized.

Shell command injection occurs.

Arbitrary commands execute.

Secrets are exfiltrated.

Protection from this CVE

Upgrade action version.

Sanitize user inputs.

Use intermediate environment variables.

Restrict workflow permissions.

Avoid command concatenation.

Impact:

Arbitrary code execution.

Secret leakage.

Repository compromise.

Supply chain attack.

Loss of integrity.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top