logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2024-42482 fish-shop/syntax-check

Package

Manager: github_actions
Name: fish-shop/syntax-check
Vulnerable Version: >=0 <1.6.12

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00482 pctl0.64218

Details

fish-shop/syntax-check Improper Neutralization of Delimiters ### Impact Improper neutralisation of delimiters in the `pattern` input (specifically the command separator `;` and command substitution characters `(` and `)`) mean that arbitrary command injection is possible by modification of the input value used in a workflow. This has the potential for exposure or exfiltration of sensitive information from the workflow runner, such as might be achieved by sending environment variables to an external entity. ### Patches As of this writing, the issue has been patched for versions in the `v1.x.x` release series in release `v1.6.12` (also tagged as `v1.6` and `v1`). The latest available release `v2.0.0` also includes a corresponding patch (also tagged as `v2.0` and `v2`). Users should upgrade to at least the patched version `v1.6.12` or preferably the latest available version `v2.0.0`. Workflows that use the action ref `v1` will automatically receive the patched version `v1.6.12` in future workflow runs. Patch summary: | Release series | Patched tags | Patched commit hashes | |----------------|-------------------------|-------------| | `1.x.x` | `v1.6.12`, `v1.6`, `v1` | `91e6817c48ad475542fe4e78139029b036a53b03` | | `2.x.x` | `v2.0.0`, `v2.0`, `v2` | `c2cb11395e21119ff8d6e7ea050430ee7d6f49ca` | ### Workarounds Is it recommended that users update to the patched version `v1.6.12` or the latest release version `v2.0.0`, however remediation may be possible through careful control of workflows and the `pattern` input value used by this action. ### References - [CWE-140: Improper Neutralization of Delimiters](https://cwe.mitre.org/data/definitions/140.html) - [CAPEC-15: Command Delimiters](https://capec.mitre.org/data/definitions/15.html)

Metadata

Created: 2024-08-12T18:25:20Z
Modified: 2024-08-12T19:16:59Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/08/GHSA-xj87-mqvh-88w2/GHSA-xj87-mqvh-88w2.json
CWE IDs: ["CWE-140"]
Alternative ID: GHSA-xj87-mqvh-88w2
Finding: F027
Auto approve: 1