437 – Supply Chain Attack - GitHub Actions
Description
In the Git Hub actions if they do not have their actions locked for a specific revision, if a malicious change is made to a third party action, this change will be included in the next build that is run for any project that uses that action.
Impact
Modify the workflow to execute tasks that steal data, introduce security vulnerabilities or perform harmful actions in the target environment.
Recommendation
Use mechanisms such as git-commits, or artifacts and hashes to verify the data integrity.
Threat
Authenticated attacker with access from the internet with write access to the provider's relays.
Expected Remediation Time
Score 4.0
Default score using CVSS 4.0. It may change depending on the context of the src.
Base 4.0
- Attack vector: N
- Attack complexity: H
- Attack Requirements: N
- Privileges required: L
- User interaction: P
- Confidentiality (VC): N
- Integrity (VI): L
- Availability (VA): N
- Confidentiality (SC): N
- Integrity (SI): N
- Availability (SA): N
Threat 4.0
- Exploit maturity: U