CVE-2021-21423

Name of the Vulnerable Software and Affected Versions projen versions prior to 0.16.41 projen versions prior to 0.17.0

Description The projen tool synthesizes project configuration files from a well-typed definition written in JavaScript. Users of projen's NodeProject project type include a .github/workflows/rebuild-bot.yml workflow that may allow any GitHub user to trigger execution of un-trusted code in the context of the "main" repository. This workflow is triggered by comments including @projen rebuild on pull-request and executes with a GITHUB TOKEN belonging to the repository into which the pull-request is made. Repositories without branch protection configured on their default branch could allow an untrusted user to gain access to secrets configured on the repository.

Recommendations For versions prior to 0.16.41, upgrade projen to version 0.16.41 or later to mitigate the issue. For versions prior to 0.17.0, upgrade projen to version 0.17.0 or later to completely remove the rebuild-bot.yml workflow. As a temporary workaround, consider removing the .github/workflows/rebuild-bot.yml file and adding it to the .gitignore file (via projenrc.js) to mitigate the issue.