Security News > 2020 > November > Google Discloses Details of GitHub Actions Vulnerability
Details on a vulnerability impacting GitHub Actions were made public this week by Google, following a 104-day disclosure deadline.
The bug was identified by security researcher Felix Wilhelm of Google Project Zero, who reported it to GitHub on July 21.
GitHub has assigned the issue a moderate severity rating, but Google Project Zero says it's high severity.
"As the runner process parses every line printed to STDOUT looking for workflow commands, every Github action that prints untrusted content as part of its execution is vulnerable. In most cases, the ability to set arbitrary environment variables results in remote code execution as soon as another workflow is executed," Wilhelm notes.
The issue, GitHub confirms, is that paths and environment variables can be injected into workflows that log untrusted data to stdout, all without the intention of the workflow author.
News URL
Related news
- Lazarus Group Exploits Google Chrome Vulnerability to Control Infected Devices (source)
- Google’s AI Tool Big Sleep Finds Zero-Day Vulnerability in SQLite Database Engine (source)
- Google Warns of Actively Exploited CVE-2024-43093 Vulnerability in Android System (source)
- Google patches actively exploited Android vulnerability (CVE-2024-43093) (source)
- Week in review: Zero-click flaw in Synology NAS devices, Google fixes exploited Android vulnerability (source)