kartverket/github-workflows are shared reusable workflows for GitHub Actions. Prior to version 2.7.5, all users of the `run-terraform` reusable workflow from the kartverket/github-workflows repo are affected by a code injection vulnerability. A malicious actor could potentially send a PR with a malicious payload leading to execution of arbitrary JavaScript code in the context of the workflow. Users should upgrade to at least version 2.7.5 to resolve the issue. As a workaround, review any pull requests from external users for malicious payloads before allowing them to trigger a build.
References
Link | Resource |
---|---|
https://github.com/kartverket/github-workflows/pull/19 | Patch Third Party Advisory |
https://github.com/kartverket/github-workflows/releases/tag/v2.7.5 | Patch Release Notes Third Party Advisory |
https://github.com/kartverket/github-workflows/security/advisories/GHSA-f9qj-7gh3-mhj4 | Third Party Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: GitHub_M
Published: 2022-10-25T00:00:00
Updated: 2022-10-25T00:00:00
Reserved: 2022-09-02T00:00:00
Link: CVE-2022-39326
JSON object: View
NVD Information
Status : Analyzed
Published: 2022-10-25T17:15:56.087
Modified: 2022-10-28T19:26:15.733
Link: CVE-2022-39326
JSON object: View
Redhat Information
No data.
CWE