Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Harden-Runner has command injection weaknesses in `setup.ts` and `arc-runner.ts`
Vulnerability Description
StepSecurity's Harden-Runner provides network egress filtering and runtime security for GitHub-hosted and self-hosted runners. Versions of step-security/harden-runner prior to v2.10.2 contain multiple command injection weaknesses via environment variables that could potentially be exploited under specific conditions. However, due to the current execution order of pre-steps in GitHub Actions and the placement of harden-runner as the first step in a job, the likelihood of exploitation is low as the Harden-Runner action reads the environment variable during the pre-step stage. There are no known exploits at this time. Version 2.10.2 contains a patch.
CVSS Information
N/A
Vulnerability Type
OS命令中使用的特殊元素转义处理不恰当(OS命令注入)
Vulnerability Title
Harden-Runner 操作系统命令注入漏洞
Vulnerability Description
Harden-Runner是StepSecurity开源的一个程序。为 GitHub 托管和自托管的跑步者提供网络出口过滤和运行时安全。 Harden-Runner v2.10.2之前版本存在操作系统命令注入漏洞,该漏洞源于包含多个通过环境变量进行的命令注入漏洞。
CVSS Information
N/A
Vulnerability Type
N/A