Jackhac

**Name of the Vulnerable Software and Affected Versions** Wazuh version 4.12.0 **Description** Wazuh version 4.12.0 has an issue where the `GITHUB TOKEN` can be extracted from uploaded artifacts in GitHub Actions workflows. This allows attackers to potentially perform unauthorized actions, such as pushing malicious commits or altering release tags, within a limited timeframe. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** phpgt/Dom versions prior to 4.1.8 **Description** The issue exposes the GITHUB TOKEN in the Dom workflow run artifact. This occurs because the ci.yml workflow file uses actions/upload-artifact@v4 to upload the build artifact, which is a zip of the current directory and includes the automatically generated .git/config file containing the run's GITHUB TOKEN. An attacker can extract the token from the artifact and use it with the GitHub API to push malicious code or rewrite release commits in the repository. The token is only valid for the duration of the workflow run, limiting the time during which exploitation could occur. Downstream users of the repository may be affected. **Recommendations** For versions prior to 4.1.8, update to version 4.1.8 to fix the issue. As a temporary workaround, consider restricting access to the `actions/upload-artifact@v4` action in the ci.yml workflow file until the update is applied. Avoid using the `GITHUB TOKEN` in the affected workflow until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Adept versions prior to commit a1a41b7 **Description** The issue concerns the exposure of the GITHUB TOKEN in the Adept language workflow. Prior to commit a1a41b7, the remoteBuild.yml workflow file uses actions/upload-artifact@v4 to upload the mac-standalone artifact, which is a zip of the current directory and includes the automatically generated .git/config file containing the run's GITHUB TOKEN. This allows an attacker to extract the token from the artifact and use it with the Github API to push malicious code or rewrite release commits in the AdeptLanguage/Adept repository. **Recommendations** For versions prior to commit a1a41b7, update to a version that includes the patch from commit a1a41b7 to resolve the issue. As a temporary workaround, consider restricting access to the `actions/upload-artifact@v4` action in the remoteBuild.yml workflow file until the patch is applied.

**Name of the Vulnerable Software and Affected Versions** z80pack versions 1.38 and prior **Description** The issue concerns the exposure of sensitive information, specifically the GITHUB TOKEN, in the workflow run artifact. This occurs because the `makefile-ubuntu.yml` workflow file uses `actions/upload-artifact@v4` to upload the `z80pack-ubuntu` artifact, which is a zip of the current directory and includes the automatically generated `.git/config` file containing the run's GITHUB TOKEN. An attacker can extract the token from the artifact and use it with the Github API to push malicious code or rewrite release commits in the repository. **Recommendations** For versions 1.38 and prior, update to a version that includes the fix committed in bd95916 to prevent the exposure of the GITHUB TOKEN. As a temporary workaround, consider restricting access to the `makefile-ubuntu.yml` workflow file until the issue is resolved. Avoid using the `actions/upload-artifact@v4` action in the `makefile-ubuntu.yml` workflow file until the issue is resolved.