{"vulnerability": "CVE-2024-41127", "sightings": [{"uuid": "abfaf25a-f202-4cfd-a035-b83e1c7f2234", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2024-41127", "type": "seen", "source": "https://t.me/cvedetector/2354", "content": "{\n  \"Source\": \"CVE FEED\",\n  \"Title\": \"CVE-2024-41127 - Monkeytype Code Injection Vulnerability (Pipeline Execution)\", \n  \"Content\": \"CVE ID : CVE-2024-41127 \nPublished : Aug. 2, 2024, 3:16 p.m. | 42\u00a0minutes ago \nDescription : Monkeytype is a minimalistic and customizable typing test. Monkeytype is vulnerable to Poisoned Pipeline Execution through Code Injection in its ci-failure-comment.yml GitHub Workflow, enabling attackers to gain pull-requests write access. The ci-failure-comment.yml workflow is triggered when the Monkey CI workflow completes. When it runs, it will download an artifact uploaded by the triggering workflow and assign the contents of ./pr_num/pr_num.txt artifact to the steps.pr_num_reader.outputs.content WorkFlow variable. It is not validated that the variable is actually a number and later it is interpolated into a JS script allowing an attacker to change the code to be executed. This issue leads to pull-requests write access. This vulnerability is fixed in 24.30.0. \nSeverity: 8.3 | HIGH \nVisit the link for more details, such as CVSS details, affected products, timeline, and more...\",\n  \"Detection Date\": \"02 Aug 2024\",\n  \"Type\": \"Vulnerability\"\n}\n\ud83d\udd39 t.me/cvedetector \ud83d\udd39", "creation_timestamp": "2024-08-02T18:11:56.000000Z"}]}