CVE-2024-41127 - OpenCVE

Monkeytype is a minimalistic and customizable typing test. Monkeytype is vulnerable to Poisoned Pipeline Execution through Code Injection in its ci-failure-comment.yml GitHub Workflow, enabling attackers to gain pull-requests write access. The ci-failure-comment.yml workflow is triggered when the Monkey CI workflow completes. When it runs, it will download an artifact uploaded by the triggering workflow and assign the contents of ./pr_num/pr_num.txt artifact to the steps.pr_num_reader.outputs.content WorkFlow variable. It is not validated that the variable is actually a number and later it is interpolated into a JS script allowing an attacker to change the code to be executed. This issue leads to pull-requests write access. This vulnerability is fixed in 24.30.0.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation poc

Automatable no

Technical Impact total

Vendors	Products
Monkeytype	Monkeytype

Configuration 1 [-]

cpe:2.3:a:monkeytype:monkeytype:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/monkeytypegame/monkeytype/commit/29627fd0d5f152e2da59671987090ea0a5c29874
https://github.com/monkeytypegame/monkeytype/security/advisories/GHSA-wcjf-5464-4wq9
https://securitylab.github.com/advisories/GHSL-2024-167_monkeytype

History

Wed, 11 Sep 2024 15:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-94

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-08-02T14:46:21.941Z

Updated: 2024-08-02T16:52:08.440Z

Reserved: 2024-07-15T15:53:28.323Z

Link: CVE-2024-41127

Vulnrichment

Updated: 2024-08-02T16:52:04.068Z

NVD

Status : Analyzed

Published: 2024-08-02T15:16:36.503

Modified: 2024-09-11T14:52:15.690

Link: CVE-2024-41127

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-41127", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-07-15T15:53:28.323Z", "datePublished": "2024-08-02T14:46:21.941Z", "dateUpdated": "2024-08-02T16:52:08.440Z"}, "containers": {"cna": {"title": "Monkeytype is vulnerable to Poisoned Pipeline Execution through Code Injection in its `ci-failure-comment.yml` GitHub Workflow, enabling attackers to gain `pull-requests` write access.", "problemTypes": [{"descriptions": [{"cweId": "CWE-74", "lang": "en", "description": "CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/monkeytypegame/monkeytype/security/advisories/GHSA-wcjf-5464-4wq9", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/monkeytypegame/monkeytype/security/advisories/GHSA-wcjf-5464-4wq9"}, {"name": "https://github.com/monkeytypegame/monkeytype/commit/29627fd0d5f152e2da59671987090ea0a5c29874", "tags": ["x_refsource_MISC"], "url": "https://github.com/monkeytypegame/monkeytype/commit/29627fd0d5f152e2da59671987090ea0a5c29874"}, {"name": "https://securitylab.github.com/advisories/GHSL-2024-167_monkeytype", "tags": ["x_refsource_MISC"], "url": "https://securitylab.github.com/advisories/GHSL-2024-167_monkeytype"}], "affected": [{"vendor": "monkeytypegame", "product": "monkeytype", "versions": [{"version": "< 24.30.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-08-02T14:46:21.941Z"}, "descriptions": [{"lang": "en", "value": "Monkeytype is a minimalistic and customizable typing test. Monkeytype is vulnerable to Poisoned Pipeline Execution through Code Injection in its ci-failure-comment.yml GitHub Workflow, enabling attackers to gain pull-requests write access. The ci-failure-comment.yml workflow is triggered when the Monkey CI workflow completes. When it runs, it will download an artifact uploaded by the triggering workflow and assign the contents of ./pr_num/pr_num.txt artifact to the steps.pr_num_reader.outputs.content WorkFlow variable. It is not validated that the variable is actually a number and later it is interpolated into a JS script allowing an attacker to change the code to be executed. This issue leads to pull-requests write access. This vulnerability is fixed in 24.30.0."}], "source": {"advisory": "GHSA-wcjf-5464-4wq9", "discovery": "UNKNOWN"}}, "adp": [{"affected": [{"vendor": "monkeytype", "product": "monkeytype", "cpes": ["cpe:2.3:a:monkeytype:monkeytype:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "24.30.0", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-08-02T16:48:39.585270Z", "id": "CVE-2024-41127", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-02T16:52:08.440Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-41127", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-07-15T15:53:28.323Z", "datePublished": "2024-08-02T14:46:21.941Z", "dateUpdated": "2024-08-02T16:52:08.440Z"}, "containers": {"cna": {"title": "Monkeytype is vulnerable to Poisoned Pipeline Execution through Code Injection in its `ci-failure-comment.yml` GitHub Workflow, enabling attackers to gain `pull-requests` write access.", "problemTypes": [{"descriptions": [{"cweId": "CWE-74", "lang": "en", "description": "CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/monkeytypegame/monkeytype/security/advisories/GHSA-wcjf-5464-4wq9", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/monkeytypegame/monkeytype/security/advisories/GHSA-wcjf-5464-4wq9"}, {"name": "https://github.com/monkeytypegame/monkeytype/commit/29627fd0d5f152e2da59671987090ea0a5c29874", "tags": ["x_refsource_MISC"], "url": "https://github.com/monkeytypegame/monkeytype/commit/29627fd0d5f152e2da59671987090ea0a5c29874"}, {"name": "https://securitylab.github.com/advisories/GHSL-2024-167_monkeytype", "tags": ["x_refsource_MISC"], "url": "https://securitylab.github.com/advisories/GHSL-2024-167_monkeytype"}], "affected": [{"vendor": "monkeytypegame", "product": "monkeytype", "versions": [{"version": "< 24.30.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-08-02T14:46:21.941Z"}, "descriptions": [{"lang": "en", "value": "Monkeytype is a minimalistic and customizable typing test. Monkeytype is vulnerable to Poisoned Pipeline Execution through Code Injection in its ci-failure-comment.yml GitHub Workflow, enabling attackers to gain pull-requests write access. The ci-failure-comment.yml workflow is triggered when the Monkey CI workflow completes. When it runs, it will download an artifact uploaded by the triggering workflow and assign the contents of ./pr_num/pr_num.txt artifact to the steps.pr_num_reader.outputs.content WorkFlow variable. It is not validated that the variable is actually a number and later it is interpolated into a JS script allowing an attacker to change the code to be executed. This issue leads to pull-requests write access. This vulnerability is fixed in 24.30.0."}], "source": {"advisory": "GHSA-wcjf-5464-4wq9", "discovery": "UNKNOWN"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-41127", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-08-02T16:48:39.585270Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:monkeytype:monkeytype:*:*:*:*:*:*:*:*"], "vendor": "monkeytype", "product": "monkeytype", "versions": [{"status": "affected", "version": "0", "lessThan": "24.30.0", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-02T16:52:04.068Z"}}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:monkeytype:monkeytype:*:*:*:*:*:*:*:*", "matchCriteriaId": "6D09169A-F904-4F72-9084-912E77340CA1", "versionEndExcluding": "24.30.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Monkeytype is a minimalistic and customizable typing test. Monkeytype is vulnerable to Poisoned Pipeline Execution through Code Injection in its ci-failure-comment.yml GitHub Workflow, enabling attackers to gain pull-requests write access. The ci-failure-comment.yml workflow is triggered when the Monkey CI workflow completes. When it runs, it will download an artifact uploaded by the triggering workflow and assign the contents of ./pr_num/pr_num.txt artifact to the steps.pr_num_reader.outputs.content WorkFlow variable. It is not validated that the variable is actually a number and later it is interpolated into a JS script allowing an attacker to change the code to be executed. This issue leads to pull-requests write access. This vulnerability is fixed in 24.30.0."}, {"lang": "es", "value": "Monkeytype es una prueba de mecanograf\u00eda minimalista y personalizable. Monkeytype es vulnerable a la ejecuci\u00f3n de canalizaci\u00f3n envenenada mediante inyecci\u00f3n de c\u00f3digo en su flujo de trabajo de GitHub ci-failure-comment.yml, lo que permite a los atacantes obtener acceso de escritura a solicitudes de extracci\u00f3n. El flujo de trabajo ci-failure-comment.yml se activa cuando se completa el flujo de trabajo de Monkey CI. Cuando se ejecute, descargar\u00e1 un artefacto cargado por el flujo de trabajo desencadenante y asignar\u00e1 el contenido del artefacto ./pr_num/pr_num.txt a la variable de flujo de trabajo steps.pr_num_reader.outputs.content. No se valida que la variable sea en realidad un n\u00famero y luego se interpola en un script JS que permite a un atacante cambiar el c\u00f3digo a ejecutar. Este problema conduce al acceso de escritura de las solicitudes de extracci\u00f3n. Esta vulnerabilidad se solucion\u00f3 en 24.30.0."}], "id": "CVE-2024-41127", "lastModified": "2024-09-11T14:52:15.690", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.6, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 6.0, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.3, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 6.0, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2024-08-02T15:16:36.503", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/monkeytypegame/monkeytype/commit/29627fd0d5f152e2da59671987090ea0a5c29874"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/monkeytypegame/monkeytype/security/advisories/GHSA-wcjf-5464-4wq9"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://securitylab.github.com/advisories/GHSL-2024-167_monkeytype"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-74"}], "source": "security-advisories@github.com", "type": "Secondary"}]}