Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
OpenLIT Vulnerable to Remote Code Execution and Secret Exposure via Misuse of `pull_request_target` in GitHub Actions Workflows
Vulnerability Description
OpenLIT is an open source platform for AI engineering. Prior to version 1.37.1, several GitHub Actions workflows in OpenLIT's GitHub repository use the `pull_request_target` event while checking out and executing untrusted code from forked pull requests. These workflows run with the security context of the base repository, including a write-privileged `GITHUB_TOKEN` and numerous sensitive secrets (API keys, database/vector store tokens, and a Google Cloud service account key). Version 1.37.1 contains a fix.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Vulnerability Type
从非可信控制范围包含功能例程
Vulnerability Title
OpenLIT 安全漏洞
Vulnerability Description
OpenLIT是OpenLIT开源的一个大语言模型开发工具。 OpenLIT 1.37.1之前版本存在安全漏洞,该漏洞源于GitHub Actions工作流使用pull_request_target事件时执行不受信任的代码,可能导致敏感信息泄露。
CVSS Information
N/A
Vulnerability Type
N/A