GHSA-cxww-7g56-2vh6

Опубликовано: 03 сент. 2024

Источник: github

Github: Прошло ревью

CVSS4: 8.6

CVSS3: 7.3

Описание

@actions/download-artifact has an Arbitrary File Write via artifact extraction

Impact

Versions of actions/download-artifact before 4.1.3 are vulnerable to arbitrary file write when downloading and extracting a specifically crafted artifact that contains path traversal filenames.

Patches

Upgrade to version 4.1.3 or higher. Alternatively use 'v4' tag which points to the latest and secure version.

References

https://snyk.io/research/zip-slip-vulnerability
https://github.com/actions/download-artifact/releases/tag/v4.1.3
https://github.com/actions/download-artifact/pull/299

CVE

CVE-2024-42471

Credits

Justin Taft from Google

Ссылки

https://github.com/actions/download-artifact/security/advisories/GHSA-cxww-7g56-2vh6
https://github.com/actions/download-artifact/releases/tag/v4.1.3
https://github.com/advisories/GHSA-6q32-hq47-5qq3
https://snyk.io/research/zip-slip-vulnerability

Пакеты

Наименование

actions/download-artifact

actions

Затронутые версииВерсия исправления

>= 4.0.0, < 4.1.3

4.1.3

8.6 High

CVSS4

7.3 High

CVSS3