2024-11-19
Version: < v2.10.2 Vulnerability: Multiple Command Injection Vulnerabilities Severity: Medium Date: [Date of article publication]
What Undercode Says:
step-security/harden-runner CVE-ID
:
Multiple command injection vulnerabilities exist in `step-security/harden-runner` versions prior to 2.10.2. These vulnerabilities could potentially allow attackers to inject malicious code into the system under specific conditions. However, due to the current execution order of GitHub Actions, the likelihood of successful exploitation is low.
Details:
1. `setup.ts:169`: Uses `execSync` with an interpolated `process.env.USER` variable, which could be manipulated to inject arbitrary shell commands.
2. `setup.ts:229`: Similar to (1), but uses `$USER` for shell-level interpolation.
3. `arc-runner:40-44`: Uses `execSync` with multiple string interpolations, including `getRunnerTempDir()`, which may be vulnerable to injection attacks due to its reliance on potentially attacker-controlled environment variables.
4. `arc-runner:53`, `arc-runner:57`, `arc-runner:61`: Similar to (3).
Recommendations:
– Upgrade to `step-security/harden-runner` version 2.10.2 or later.
– If upgrading is not immediately feasible, consider implementing additional security measures, such as input validation and output sanitization.
– Stay informed about security advisories and patches for `step-security/harden-runner` and other relevant components.
References:
Reported By: Github.com
Undercode AI: https://ai.undercodetesting.com
Image Source:
OpenAI: https://openai.com
Undercode AI DI v2: https://ai.undercode.help