ghsa-g85v-wf27-67xc
Vulnerability from github
Published
2024-11-18 23:48
Modified
2024-11-19 20:50
Severity ?
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
2.7 (Low) - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U
Summary
Harden-Runner has a command injection weaknesses in `setup.ts` and `arc-runner.ts`
Details

Summary

Versions of step-security/harden-runner prior to v2.10.2 contain multiple command injection weaknesses via environment variables that could potentially be exploited under specific conditions. However, due to the current execution order of pre-steps in GitHub Actions and the placement of harden-runner as the first step in a job, the likelihood of exploitation is low as the Harden-Runner action reads the environment variable during the pre-step stage. There are no known exploits at this time.

Details

  1. setup.ts:169 1 performs execSync with a command that gets invoked after interpretation by the shell. This command includes an interpolated process.env.USER variable, which an attacker could modify (without actually creating a new user) to inject arbitrary shell expressions into this execSync. This may or may not be likely in practice, but I believe the hygienic way to perform the underlying operation is to use execFileSync or similar and bypass the underlying shell evaluation.

  2. setup.ts:229 2 has a nearly identical execSync to (1) above, but with $USER for shell-level interpolation rather than string interpolation. However, this is still injectable and would be best replaced by an execFileSync, per above.

  3. arc-runner:40-44 3 has an execSync with multiple string interpolations. Most of these do not appear immediately injectible (since they appear to come from presumed trusted API responses), but the expansion of getRunnerTempDir() may be injectable due to its dependence on potentially attacker-controllable environment variables (e.g. RUNNER_TEMP). The underlying operation appears to be a trivial file copy, so this entire subprocess should in theory be replaceable with ordinary NodeJS fs API calls instead.

  4. arc-runner:53 4 demonstrates the same weakness, and has the same resolution as (3).

  5. arc-runner:57 demonstrates the same weakness as (3) and (4), and has the same resolution.

  6. arc-runner:61 demonstrates the same weakness as (3), (4), and (5), and has the same resolution.

Show details on source website

To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "GitHub Actions",
        "name": "step-security/harden-runner"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.10.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-52587"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-78"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-11-18T23:48:26Z",
    "nvd_published_at": "2024-11-18T22:15:09Z",
    "severity": "LOW"
  },
  "details": "### Summary\n\nVersions of step-security/harden-runner prior to v2.10.2 contain multiple command injection weaknesses via environment variables that could potentially be exploited under specific conditions. However, due to the current execution order of pre-steps in GitHub Actions and the placement of harden-runner as the first step in a job, the likelihood of exploitation is low as the Harden-Runner action reads the environment variable during the pre-step stage. There are no known exploits at this time. \n\n### Details\n\n1. setup.ts:169 [1]  performs `execSync` with a command that gets\ninvoked after interpretation by the shell. This command includes an\ninterpolated `process.env.USER` variable, which an attacker could\nmodify (without actually creating a new user) to inject arbitrary\nshell expressions into this `execSync`. This may or may not be likely\nin practice, but I believe the hygienic way to perform the underlying\noperation is to use `execFileSync` or similar and bypass the\nunderlying shell evaluation.\n\n2. setup.ts:229 [2] has a nearly identical `execSync` to (1) above,\nbut with `$USER` for shell-level interpolation rather than string\ninterpolation. However, this is still injectable and would be best\nreplaced by an `execFileSync`, per above.\n\n3. arc-runner:40-44 [3] has an `execSync` with multiple string\ninterpolations. Most of these do not appear immediately injectible\n(since they appear to come from presumed trusted API responses), but\nthe expansion of `getRunnerTempDir()` may be injectable due to its\ndependence on potentially attacker-controllable environment variables\n(e.g. `RUNNER_TEMP`). The underlying operation appears to be a trivial\nfile copy, so this entire subprocess should in theory be replaceable\nwith ordinary NodeJS `fs` API calls instead.\n\n4. arc-runner:53 [4] demonstrates the same weakness, and has the same\nresolution as (3).\n\n5. arc-runner:57 demonstrates the same weakness as (3) and (4), and\nhas the same resolution.\n\n6. arc-runner:61 demonstrates the same weakness as (3), (4), and (5),\nand has the same resolution.\n\n\n[1]: https://github.com/step-security/harden-runner/blob/951b48540b429070694bc8abd82fd6901eb123ca/src/setup.ts#L169\n\n[2]: https://github.com/step-security/harden-runner/blob/951b48540b429070694bc8abd82fd6901eb123ca/src/setup.ts#L229\n\n[3]: https://github.com/step-security/harden-runner/blob/951b48540b429070694bc8abd82fd6901eb123ca/src/arc-runner.ts#L40-L44\n\n[4]: https://github.com/step-security/harden-runner/blob/951b48540b429070694bc8abd82fd6901eb123ca/src/arc-runner.ts#L53\n\n[5]: https://github.com/step-security/harden-runner/blob/951b48540b429070694bc8abd82fd6901eb123ca/src/arc-runner.ts#L57\n\n[6]: https://github.com/step-security/harden-runner/blob/951b48540b429070694bc8abd82fd6901eb123ca/src/arc-runner.ts#L61",
  "id": "GHSA-g85v-wf27-67xc",
  "modified": "2024-11-19T20:50:10Z",
  "published": "2024-11-18T23:48:26Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/step-security/harden-runner/security/advisories/GHSA-g85v-wf27-67xc"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-52587"
    },
    {
      "type": "WEB",
      "url": "https://github.com/step-security/harden-runner/commit/0080882f6c36860b6ba35c610c98ce87d4e2f26f"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/step-security/harden-runner"
    },
    {
      "type": "WEB",
      "url": "https://github.com/step-security/harden-runner/blob/951b48540b429070694bc8abd82fd6901eb123ca/src/arc-runner.ts#L40-L44"
    },
    {
      "type": "WEB",
      "url": "https://github.com/step-security/harden-runner/blob/951b48540b429070694bc8abd82fd6901eb123ca/src/arc-runner.ts#L53"
    },
    {
      "type": "WEB",
      "url": "https://github.com/step-security/harden-runner/blob/951b48540b429070694bc8abd82fd6901eb123ca/src/arc-runner.ts#L57"
    },
    {
      "type": "WEB",
      "url": "https://github.com/step-security/harden-runner/blob/951b48540b429070694bc8abd82fd6901eb123ca/src/arc-runner.ts#L61"
    },
    {
      "type": "WEB",
      "url": "https://github.com/step-security/harden-runner/blob/951b48540b429070694bc8abd82fd6901eb123ca/src/setup.ts#L169"
    },
    {
      "type": "WEB",
      "url": "https://github.com/step-security/harden-runner/blob/951b48540b429070694bc8abd82fd6901eb123ca/src/setup.ts#L229"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Harden-Runner has a command injection weaknesses in `setup.ts` and `arc-runner.ts`"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.