CVE-2022-39326 - OpenCVE

kartverket/github-workflows are shared reusable workflows for GitHub Actions. Prior to version 2.7.5, all users of the `run-terraform` reusable workflow from the kartverket/github-workflows repo are affected by a code injection vulnerability. A malicious actor could potentially send a PR with a malicious payload leading to execution of arbitrary JavaScript code in the context of the workflow. Users should upgrade to at least version 2.7.5 to resolve the issue. As a workaround, review any pull requests from external users for malicious payloads before allowing them to trigger a build.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Kartverket	Github-workflows

Configuration 1 [-]

cpe:2.3:a:kartverket:github-workflows:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/kartverket/github-workflows/pull/19
https://github.com/kartverket/github-workflows/releases/tag/v2.7.5
https://github.com/kartverket/github-workflows/security/advisories/GHSA-f9qj-7gh3-mhj4

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2022-10-25T00:00:00

Updated: 2024-08-03T12:00:44.038Z

Reserved: 2022-09-02T00:00:00

Link: CVE-2022-39326

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2022-10-25T17:15:56.087

Modified: 2022-10-28T19:26:15.733

Link: CVE-2022-39326

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2022-39326", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "dateUpdated": "2024-08-03T12:00:44.038Z", "dateReserved": "2022-09-02T00:00:00", "datePublished": "2022-10-25T00:00:00"}, "containers": {"cna": {"title": "kartverket/github-workflows's run-terraform allows for RCE via terraform plan", "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2022-10-25T00:00:00"}, "descriptions": [{"lang": "en", "value": "kartverket/github-workflows are shared reusable workflows for GitHub Actions. Prior to version 2.7.5, all users of the `run-terraform` reusable workflow from the kartverket/github-workflows repo are affected by a code injection vulnerability. A malicious actor could potentially send a PR with a malicious payload leading to execution of arbitrary JavaScript code in the context of the workflow. Users should upgrade to at least version 2.7.5 to resolve the issue. As a workaround, review any pull requests from external users for malicious payloads before allowing them to trigger a build."}], "affected": [{"vendor": "kartverket", "product": "github-workflows", "versions": [{"version": "< 2.7.5", "status": "affected"}]}], "references": [{"url": "https://github.com/kartverket/github-workflows/security/advisories/GHSA-f9qj-7gh3-mhj4"}, {"url": "https://github.com/kartverket/github-workflows/pull/19"}, {"url": "https://github.com/kartverket/github-workflows/releases/tag/v2.7.5"}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH"}}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-94: Improper Control of Generation of Code ('Code Injection')", "cweId": "CWE-94"}]}], "source": {"advisory": "GHSA-f9qj-7gh3-mhj4", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T12:00:44.038Z"}, "title": "CVE Program Container", "references": [{"url": "https://github.com/kartverket/github-workflows/security/advisories/GHSA-f9qj-7gh3-mhj4", "tags": ["x_transferred"]}, {"url": "https://github.com/kartverket/github-workflows/pull/19", "tags": ["x_transferred"]}, {"url": "https://github.com/kartverket/github-workflows/releases/tag/v2.7.5", "tags": ["x_transferred"]}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:kartverket:github-workflows:*:*:*:*:*:*:*:*", "matchCriteriaId": "9BE0EA3C-47ED-4B8A-8694-049BAA206417", "versionEndExcluding": "2.7.5", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "kartverket/github-workflows are shared reusable workflows for GitHub Actions. Prior to version 2.7.5, all users of the `run-terraform` reusable workflow from the kartverket/github-workflows repo are affected by a code injection vulnerability. A malicious actor could potentially send a PR with a malicious payload leading to execution of arbitrary JavaScript code in the context of the workflow. Users should upgrade to at least version 2.7.5 to resolve the issue. As a workaround, review any pull requests from external users for malicious payloads before allowing them to trigger a build."}, {"lang": "es", "value": "kartverket/github-workflows son flujos de trabajo reusables compartidos para las acciones de GitHub. versiones anteriores a 2.7.5, todos los usuarios del flujo de trabajo reusable \"run-terraform\" del repositorio kartverket/github-workflows est\u00e1n afectados por una vulnerabilidad de inyecci\u00f3n de c\u00f3digo. Un actor malicioso podr\u00eda enviar una RP con una carga \u00fatil maliciosa que conlleva a una ejecuci\u00f3n de c\u00f3digo JavaScript arbitrario en el contexto del flujo de trabajo. Los usuarios deben actualizar al menos a versi\u00f3n 2.7.5 para resolver el problema. Como mitigaci\u00f3n, revise cualquier petici\u00f3n de usuarios externos en busca de cargas \u00fatiles maliciosas antes de permitir que desencadenen una compilaci\u00f3n"}], "id": "CVE-2022-39326", "lastModified": "2022-10-28T19:26:15.733", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2022-10-25T17:15:56.087", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/kartverket/github-workflows/pull/19"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Release Notes", "Third Party Advisory"], "url": "https://github.com/kartverket/github-workflows/releases/tag/v2.7.5"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/kartverket/github-workflows/security/advisories/GHSA-f9qj-7gh3-mhj4"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-94"}], "source": "security-advisories@github.com", "type": "Secondary"}]}