漏洞信息
尽管我们使用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。神龙努力确保数据的准确性,但请您根据实际情况进行核实和判断。
Vulnerability Title
ToolJet GitHub Actions comment body shell injection exposes deployment secrets
Vulnerability Description
ToolJet is an open-source low-code platform for building internal tools. Prior to 3.20.180, ToolJet's render preview deployment workflow interpolates github.event.comment.body directly into a bash conditional in a run step, allowing any GitHub user who can comment on an open pull request with a deploy command to execute shell commands on the CI runner and exfiltrate deployment secrets. This issue is reported as fixed in version 3.20.180.
CVSS Information
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
Vulnerability Type
OS命令中使用的特殊元素转义处理不恰当(OS命令注入)