CVE-2022-39321

Name of the Vulnerable Software and Affected Versions GitHub Actions Runner versions prior to 2.296.2 GitHub Actions Runner versions prior to 2.293.1 GitHub Actions Runner versions prior to 2.289.4 GitHub Actions Runner versions prior to 2.285.2 GitHub Actions Runner versions prior to 2.283.4

Description A bug in the logic for how the environment is encoded into docker commands was discovered that allows an input to escape the environment variable and modify the docker command invocation directly. Jobs that use container actions, job containers, or service containers alongside untrusted user inputs in environment variables may be vulnerable.

Recommendations For versions prior to 2.296.2, update to version 2.296.2 or later. For versions prior to 2.293.1, update to version 2.293.1 or later. For versions prior to 2.289.4, update to version 2.289.4 or later. For versions prior to 2.285.2, update to version 2.285.2 or later. For versions prior to 2.283.4, update to version 2.283.4 or later. As a temporary workaround, consider removing any container actions, job containers, or service containers from jobs until able to upgrade the runner versions.