Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Meshtastic allows Command Injection in GitHub Action
Vulnerability Description
Meshtastic is an open source mesh networking solution. The main_matrix.yml GitHub Action is triggered by the pull_request_target event, which has extensive permissions, and can be initiated by an attacker who forked the repository and created a pull request. In the shell code execution part, user-controlled input is interpolated unsafely into the code. If this were to be exploited, attackers could inject unauthorized code into the repository. This vulnerability is fixed in 2.6.6.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N
Vulnerability Type
OS命令中使用的特殊元素转义处理不恰当(OS命令注入)
Vulnerability Title
Meshtastic device firmware 操作系统命令注入漏洞
Vulnerability Description
Meshtastic device firmware是Meshtastic开源的一种用于 Meshtastic 设备运行开源、离网、去中心化网状网络的固件。 Meshtastic device firmware 2.6.6之前版本存在操作系统命令注入漏洞,该漏洞源于main_matrix.yml GitHub Action中用户输入不安全地插入代码,可能导致注入未授权代码。
CVSS Information
N/A
Vulnerability Type
N/A