CVE-2024-42482

Aug. 12, 2024, 6:57 p.m.

CVSS Score

4.8 / 10

Product(s) Impacted

fish-shop/syntax-check GitHub action

  • v1.6.12
  • v2.0.0

Description

fish-shop/syntax-check is a GitHub action for syntax checking fish shell files. Improper neutralization of delimiters in the `pattern` input (specifically the command separator `;` and command substitution characters `(` and `)`) mean that arbitrary command injection is possible by modification of the input value used in a workflow. This has the potential for exposure or exfiltration of sensitive information from the workflow runner, such as might be achieved by sending environment variables to an external entity. It is recommended that users update to the patched version `v1.6.12` or the latest release version `v2.0.0`, however remediation may be possible through careful control of workflows and the `pattern` input value used by this action.

Weaknesses

CWE-140
Improper Neutralization of Delimiters

The product does not neutralize or incorrectly neutralizes delimiters.

CWE ID: 140

Date

Published: Aug. 12, 2024, 4:15 p.m.

Last Modified: Aug. 12, 2024, 6:57 p.m.

Status : Undergoing Analysis

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

security-advisories@github.com

CVSS Data

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

Base Score
4.8
Exploitability Score
2.2
Impact Score
2.5
Base Severity
MEDIUM
CVSS Vector String

The CVSS vector string provides an in-depth view of the vulnerability metrics.

View Vector String

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

References