{"containers": {"cna": {"affected": [{"product": "github-action-merge-dependabot", "vendor": "fastify", "versions": [{"status": "affected", "version": "< 3.2.0"}]}], "descriptions": [{"lang": "en", "value": "github-action-merge-dependabot is an action that automatically approves and merges dependabot pull requests (PRs). Prior to version 3.2.0, github-action-merge-dependabot does not check if a commit created by dependabot is verified with the proper GPG key. There is just a check if the actor is set to `dependabot[bot]` to determine if the PR is a legit PR. Theoretically, an owner of a seemingly valid and legit action in the pipeline can check if the PR is created by dependabot and if their own action has enough permissions to modify the PR in the pipeline. If so, they can modify the PR by adding a second seemingly valid and legit commit to the PR, as they can set arbitrarily the username and email in for commits in git. Because the bot only checks if the actor is valid, it would pass the malicious changes through and merge the PR automatically, without getting noticed by project maintainers. It would probably not be possible to determine where the malicious commit came from, as it would only say `dependabot[bot]` and the corresponding email-address. Version 3.2.0 contains a patch for this issue."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-283", "description": "CWE-283: Unverified Ownership", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-05-31T16:10:10", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/fastify/github-action-merge-dependabot/security/advisories/GHSA-v5vr-h3xq-8v6w"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/fastify/github-action-merge-dependabot/commit/309f39539c5d918d8a47075587aa8720a9c127f7"}, {"tags": ["x_refsource_MISC"], "url": "https://hackerone.com/bugs?report_id=1564530"}], "source": {"advisory": "GHSA-v5vr-h3xq-8v6w", "discovery": "UNKNOWN"}, "title": "No verification of commits origin in github-action-merge-dependabot", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2022-29220", "STATE": "PUBLIC", "TITLE": "No verification of commits origin in github-action-merge-dependabot"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "github-action-merge-dependabot", "version": {"version_data": [{"version_value": "< 3.2.0"}]}}]}, "vendor_name": "fastify"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "github-action-merge-dependabot is an action that automatically approves and merges dependabot pull requests (PRs). Prior to version 3.2.0, github-action-merge-dependabot does not check if a commit created by dependabot is verified with the proper GPG key. There is just a check if the actor is set to `dependabot[bot]` to determine if the PR is a legit PR. Theoretically, an owner of a seemingly valid and legit action in the pipeline can check if the PR is created by dependabot and if their own action has enough permissions to modify the PR in the pipeline. If so, they can modify the PR by adding a second seemingly valid and legit commit to the PR, as they can set arbitrarily the username and email in for commits in git. Because the bot only checks if the actor is valid, it would pass the malicious changes through and merge the PR automatically, without getting noticed by project maintainers. It would probably not be possible to determine where the malicious commit came from, as it would only say `dependabot[bot]` and the corresponding email-address. Version 3.2.0 contains a patch for this issue."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-283: Unverified Ownership"}]}]}, "references": {"reference_data": [{"name": "https://github.com/fastify/github-action-merge-dependabot/security/advisories/GHSA-v5vr-h3xq-8v6w", "refsource": "CONFIRM", "url": "https://github.com/fastify/github-action-merge-dependabot/security/advisories/GHSA-v5vr-h3xq-8v6w"}, {"name": "https://github.com/fastify/github-action-merge-dependabot/commit/309f39539c5d918d8a47075587aa8720a9c127f7", "refsource": "MISC", "url": "https://github.com/fastify/github-action-merge-dependabot/commit/309f39539c5d918d8a47075587aa8720a9c127f7"}, {"name": "https://hackerone.com/bugs?report_id=1564530", "refsource": "MISC", "url": "https://hackerone.com/bugs?report_id=1564530"}]}, "source": {"advisory": "GHSA-v5vr-h3xq-8v6w", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T06:17:54.072Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/fastify/github-action-merge-dependabot/security/advisories/GHSA-v5vr-h3xq-8v6w"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/fastify/github-action-merge-dependabot/commit/309f39539c5d918d8a47075587aa8720a9c127f7"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://hackerone.com/bugs?report_id=1564530"}]}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2022-29220", "datePublished": "2022-05-31T16:10:10", "dateReserved": "2022-04-13T00:00:00", "dateUpdated": "2024-08-03T06:17:54.072Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:fastify:github_action_merge_dependabot:*:*:*:*:*:*:*:*", "matchCriteriaId": "D311B6C0-4E64-448B-9899-711E25FB5ED1", "versionEndExcluding": "3.2.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "github-action-merge-dependabot is an action that automatically approves and merges dependabot pull requests (PRs). Prior to version 3.2.0, github-action-merge-dependabot does not check if a commit created by dependabot is verified with the proper GPG key. There is just a check if the actor is set to `dependabot[bot]` to determine if the PR is a legit PR. Theoretically, an owner of a seemingly valid and legit action in the pipeline can check if the PR is created by dependabot and if their own action has enough permissions to modify the PR in the pipeline. If so, they can modify the PR by adding a second seemingly valid and legit commit to the PR, as they can set arbitrarily the username and email in for commits in git. Because the bot only checks if the actor is valid, it would pass the malicious changes through and merge the PR automatically, without getting noticed by project maintainers. It would probably not be possible to determine where the malicious commit came from, as it would only say `dependabot[bot]` and the corresponding email-address. Version 3.2.0 contains a patch for this issue."}, {"lang": "es", "value": "github-action-merge-dependabot es una acci\u00f3n que aprueba y fusiona autom\u00e1ticamente las peticiones de pull (PR) de dependabot. En versiones anteriores a 3.2.0, github-action-merge-dependabot no comprueba si un commit creado por dependabot est\u00e1 verificado con la clave GPG adecuada. S\u00f3lo se presenta comprobaci\u00f3n si el actor es establecido como \"dependabot[bot]\" para determinar si el PR es un PR leg\u00edtimo. Te\u00f3ricamente, un propietario de una acci\u00f3n aparentemente v\u00e1lida y leg\u00edtima en la tuber\u00eda puede comprobar si el PR es creado por dependabot y si su propia acci\u00f3n presenta suficientes permisos para modificar el PR en la tuber\u00eda. Si es as\u00ed, pueden modificar el PR a\u00f1adiendo un segundo commit aparentemente v\u00e1lido y leg\u00edtimo al PR, ya que pueden establecer arbitrariamente el nombre de usuario y el correo electr\u00f3nico en los commits en git. Dado que el bot s\u00f3lo comprueba si el actor es v\u00e1lido, pasar\u00eda los cambios maliciosos y fusionar\u00eda el PR autom\u00e1ticamente, sin que los mantenedores del proyecto dieran cuenta. Probablemente no ser\u00eda posible determinar de d\u00f3nde proviene el commit malicioso, ya que s\u00f3lo dir\u00eda \"dependabot[bot]\" y la direcci\u00f3n de correo electr\u00f3nico correspondiente. La versi\u00f3n 3.2.0 contiene un parche para este problema"}], "id": "CVE-2022-29220", "lastModified": "2022-06-15T18:49:18.507", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2022-05-31T16:15:08.037", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/fastify/github-action-merge-dependabot/commit/309f39539c5d918d8a47075587aa8720a9c127f7"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/fastify/github-action-merge-dependabot/security/advisories/GHSA-v5vr-h3xq-8v6w"}, {"source": "security-advisories@github.com", "tags": ["Permissions Required", "Third Party Advisory"], "url": "https://hackerone.com/bugs?report_id=1564530"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-345"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-283"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}