Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
kartverket/github-workflows's run-terraform allows for RCE via terraform plan
Vulnerability Description
kartverket/github-workflows are shared reusable workflows for GitHub Actions. Prior to version 2.7.5, all users of the `run-terraform` reusable workflow from the kartverket/github-workflows repo are affected by a code injection vulnerability. A malicious actor could potentially send a PR with a malicious payload leading to execution of arbitrary JavaScript code in the context of the workflow. Users should upgrade to at least version 2.7.5 to resolve the issue. As a workaround, review any pull requests from external users for malicious payloads before allowing them to trigger a build.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Vulnerability Type
对生成代码的控制不恰当(代码注入)
Vulnerability Title
github-workflows 代码注入漏洞
Vulnerability Description
github-workflows是Kartverket个人开发者的GitHub Actions 的共享可重用工作流。 github-workflows 2.7.5之前版本存在安全漏洞,该漏洞源于受到代码注入的影响,恶意行为者可能会发送带有恶意负载的PR,从而导致在工作流上下文中执行任意JavaScript代码。
CVSS Information
N/A
Vulnerability Type
N/A