CVE-2022-39326

Name of the Vulnerable Software and Affected Versions kartverket/github-workflows versions prior to 2.7.5

Description The issue is a code injection vulnerability that affects all users of the run-terraform reusable workflow from the kartverket/github-workflows repo. A malicious actor could potentially send a PR with a malicious payload, leading to the execution of arbitrary JavaScript code in the context of the workflow.

Recommendations For versions prior to 2.7.5, upgrade to at least version 2.7.5 to resolve the issue. As a temporary workaround, review any pull requests from external users for malicious payloads before allowing them to trigger a build.