CVE-2022-39326

25.10.2022, 17:15

kartverket/github-workflows are shared reusable workflows for GitHub Actions. Prior to version 2.7.5, all users of the `run-terraform` reusable workflow from the kartverket/github-workflows repo are affected by a code injection vulnerability. A malicious actor could potentially send a PR with a malicious payload leading to execution of arbitrary JavaScript code in the context of the workflow. Users should upgrade to at least version 2.7.5 to resolve the issue. As a workaround, review any pull requests from external users for malicious payloads before allowing them to trigger a build.

Code Injection

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	8.8 HIGH	NETWORK	LOW	LOW	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
GitHub_M	CNA	8.8 HIGH	NETWORK	LOW	LOW	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVE	ADP	---				---
CISA-ADP	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 41%

Vendor	Product	Version
kartverket	github-workflows	𝑥 < 2.7.5

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-94 - Improper Control of Generation of Code ('Code Injection')
The software constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

References

https://github.com/kartverket/github-workflows/pull/19

https://github.com/kartverket/github-workflows/releases/tag/v2.7.5

https://github.com/kartverket/github-workflows/security/advisories/GHSA-f9qj-7gh3-mhj4

https://github.com/kartverket/github-workflows/pull/19

https://github.com/kartverket/github-workflows/releases/tag/v2.7.5

https://github.com/kartverket/github-workflows/security/advisories/GHSA-f9qj-7gh3-mhj4