Products
RSSHub
- before commit 64e00e7
Source
security-advisories@github.com
Tags
CVE-2024-47179 details
Last Modified : Sept. 26, 2024, 8:15 p.m.
Description
RSSHub is an RSS network. Prior to commit 64e00e7, RSSHub's `docker-test-cont.yml` workflow is vulnerable to Artifact Poisoning, which could have lead to a full repository takeover. Downstream users of RSSHub are not vulnerable to this issue, and commit 64e00e7 fixed the underlying issue and made the repository no longer vulnerable. The `docker-test-cont.yml` workflow gets triggered when the `PR - Docker build test` workflow completes successfully. It then collects some information about the Pull Request that triggered the triggering workflow and set some labels depending on the PR body and sender. If the PR also contains a `routes` markdown block, it will set the `TEST_CONTINUE` environment variable to `true`. The workflow then downloads and extracts an artifact uploaded by the triggering workflow which is expected to contain a single `rsshub.tar.zst` file. However, prior to commit 64e00e7, it did not validate and the contents were extracted in the root of the workspace overriding any existing files. Since the contents of the artifact were not validated, it is possible for a malicious actor to send a Pull Request which uploads, not just the `rsshub.tar.zst` compressed docker image, but also a malicious `package.json` file with a script to run arbitrary code in the context of the privileged workflow. As of commit 64e00e7, this scenario has been addressed and the RSSHub repository is no longer vulnerable.
CVSS Score
1 | 2 | 3 | 4 | 5 | 6 | 7 | 8.8 | 9 | 10 |
---|
Weakness
Weakness | Name | Description |
---|---|---|
CWE-20 | Improper Input Validation | The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. |
CVSS Data
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
Base Score
8.8
Exploitability Score
2.8
Impact Score
5.9
Base Severity
HIGH
Vector String : CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
References
URL | Source |
---|---|
https://codeql.github.com/codeql-query-help/javascript/js-actions-command-injection | security-advisories@github.com |
https://github.com/DIYgod/RSSHub/actions/runs/10141104413/job/28037643579#step:1:17 | security-advisories@github.com |
https://github.com/DIYgod/RSSHub/blob/e08733f94c81440d19ee6a5fd5e915e9a65395f5/.github/workflows/docker-test-cont.yml | security-advisories@github.com |
https://github.com/DIYgod/RSSHub/commit/64e00e743aba2a239508fea97825994e3d687ecc | security-advisories@github.com |
https://github.com/DIYgod/RSSHub/security/advisories/GHSA-9mqc-fm24-h8cw | security-advisories@github.com |
https://securitylab.github.com/research/github-actions-preventing-pwn-requests | security-advisories@github.com |
https://securitylab.github.com/research/github-actions-untrusted-input | security-advisories@github.com |