Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
serverless-dns is vulnerable to Command Injection through pr.yml GitHub Action Workflow
Vulnerability Description
serverless-dns is a RethinkDNS resolver that deploys to Cloudflare Workers, Deno Deploy, Fastly, and Fly.io. Versions through abd including 0.1.30 have a vulnerability where the pr.yml GitHub Action interpolates in an unsafe manner untrusted input, specifically the github.event.pull_request.head.repo.clone_url and github.head_ref, to a command in the runner. Due to the action using the pull_request_target trigger it has permissive permissions by default. An unauthorized attacker can exploit this vulnerability to push arbitrary data to the repository. The subsequent impact on the end-user is executing the attackers' code when running serverless-dns. This is fixed in commit c5537dd, and expected to be released in 0.1.31.
CVSS Information
N/A
Vulnerability Type
在命令中使用的特殊元素转义处理不恰当(命令注入)
Vulnerability Title
serverless-dns 命令注入漏洞
Vulnerability Description
serverless-dns是serverless-dns开源的一个DNS解析器。 serverless-dns 0.1.30及之前版本存在命令注入漏洞,该漏洞源于pr.yml GitHub Action以不安全方式插入不受信任的输入,可能导致执行攻击者代码。
CVSS Information
N/A
Vulnerability Type
N/A