logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2024-52587 step-security/harden-runner

Package

Manager: github_actions
Name: step-security/harden-runner
Vulnerable Version: >=0 <2.10.2

Severity

Level: Low

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

EPSS: 0.01046 pctl0.76669

Details

Harden-Runner has a command injection weaknesses in `setup.ts` and `arc-runner.ts` ### Summary Versions of step-security/harden-runner prior to v2.10.2 contain multiple command injection weaknesses via environment variables that could potentially be exploited under specific conditions. However, due to the current execution order of pre-steps in GitHub Actions and the placement of harden-runner as the first step in a job, the likelihood of exploitation is low as the Harden-Runner action reads the environment variable during the pre-step stage. There are no known exploits at this time. ### Details 1. setup.ts:169 [1] performs `execSync` with a command that gets invoked after interpretation by the shell. This command includes an interpolated `process.env.USER` variable, which an attacker could modify (without actually creating a new user) to inject arbitrary shell expressions into this `execSync`. This may or may not be likely in practice, but I believe the hygienic way to perform the underlying operation is to use `execFileSync` or similar and bypass the underlying shell evaluation. 2. setup.ts:229 [2] has a nearly identical `execSync` to (1) above, but with `$USER` for shell-level interpolation rather than string interpolation. However, this is still injectable and would be best replaced by an `execFileSync`, per above. 3. arc-runner:40-44 [3] has an `execSync` with multiple string interpolations. Most of these do not appear immediately injectible (since they appear to come from presumed trusted API responses), but the expansion of `getRunnerTempDir()` may be injectable due to its dependence on potentially attacker-controllable environment variables (e.g. `RUNNER_TEMP`). The underlying operation appears to be a trivial file copy, so this entire subprocess should in theory be replaceable with ordinary NodeJS `fs` API calls instead. 4. arc-runner:53 [4] demonstrates the same weakness, and has the same resolution as (3). 5. arc-runner:57 demonstrates the same weakness as (3) and (4), and has the same resolution. 6. arc-runner:61 demonstrates the same weakness as (3), (4), and (5), and has the same resolution. [1]: https://github.com/step-security/harden-runner/blob/951b48540b429070694bc8abd82fd6901eb123ca/src/setup.ts#L169 [2]: https://github.com/step-security/harden-runner/blob/951b48540b429070694bc8abd82fd6901eb123ca/src/setup.ts#L229 [3]: https://github.com/step-security/harden-runner/blob/951b48540b429070694bc8abd82fd6901eb123ca/src/arc-runner.ts#L40-L44 [4]: https://github.com/step-security/harden-runner/blob/951b48540b429070694bc8abd82fd6901eb123ca/src/arc-runner.ts#L53 [5]: https://github.com/step-security/harden-runner/blob/951b48540b429070694bc8abd82fd6901eb123ca/src/arc-runner.ts#L57 [6]: https://github.com/step-security/harden-runner/blob/951b48540b429070694bc8abd82fd6901eb123ca/src/arc-runner.ts#L61

Metadata

Created: 2024-11-18T23:48:26Z
Modified: 2024-11-19T20:50:10Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/11/GHSA-g85v-wf27-67xc/GHSA-g85v-wf27-67xc.json
CWE IDs: ["CWE-78"]
Alternative ID: GHSA-g85v-wf27-67xc
Finding: F004
Auto approve: 1