Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
dedupe is vulnerable to secret exfiltration via `issue_comment`
Vulnerability Description
dedupe is a python library that uses machine learning to perform fuzzy matching, deduplication and entity resolution quickly on structured data. Before commit 3f61e79, a critical severity vulnerability has been identified within the .github/workflows/benchmark-bot.yml workflow, where a issue_comment can be triggered using the @benchmark body. This workflow is susceptible to exploitation as it checkout the ${{ github.event.issue.number }}, which correspond to the branch of the PR manipulated by potentially malicious actors, and where untrusted code may be executed. Running untrusted code may lead to the exfiltration of GITHUB_TOKEN, which in this workflow has write permissions on most of the scopes - in particular the contents one - and could lead to potential repository takeover. This is fixed by commit 3f61e79.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Vulnerability Type
OS命令中使用的特殊元素转义处理不恰当(OS命令注入)
Vulnerability Title
Dedupe Python Library 操作系统命令注入漏洞
Vulnerability Description
Dedupe Python Library是Dedupe.io开源的一个用于精确和可扩展的模糊匹配、去重的Python库。 Dedupe Python Library 存在操作系统命令注入漏洞,该漏洞源于.github/workflows/benchmark-bot.yml工作流中issue_comment触发执行不受信任代码,可能导致GITHUB_TOKEN泄露。
CVSS Information
N/A
Vulnerability Type
N/A