Google’s Project Zero has struck once more, releasing particulars of an unpatched vulnerability in Microsoft software program.
The firm has right now launched data of a “high severity” exploit in GitHub which might permit distant code execution.
The flaw, in workflow instructions, which act as a communication channel between executed actions and the Action Runner, is described as such by Felix Wilhelm, who found the problem:
The massive drawback with this function is that it’s extremely susceptible to injection assaults. As the runner course of parses each line printed to STDOUT in search of workflow instructions, each Github motion that prints untrusted content material as a part of its execution is susceptible. In most circumstances, the power to set arbitrary setting variables leads to distant code execution as quickly as one other workflow is executed.
I’ve spent a while taking a look at widespread Github repositories and virtually any venture with considerably complicated Github actions is susceptible to this bug class.
The drawback appears to be elementary to how workflow instructions works, making it very tough to repair. GitHub’s advisory notes:
`add-path` and `set-env` Runner instructions are processed
Source hyperlink