PT-2024-29968 · Github · Actions/Artifact
Justin Taft
·
Published
2024-09-02
·
Updated
2025-01-23
·
CVE-2024-42471
CVSS v4.0
8.6
High
| Vector | AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
actions/artifact versions 2.0.0 through 2.1.1
actions/artifact versions 2.1.2 through 2.1.6
Description
The issue concerns arbitrary file write when using
downloadArtifactInternal, downloadArtifactPublic, or streamExtractExternal for extracting a specifically crafted artifact that contains path traversal filenames. Users are advised to upgrade to a newer version to mitigate the risk.Recommendations
For actions/artifact versions 2.0.0 through 2.1.1, upgrade to version 2.1.2 or higher.
For actions/artifact versions 2.1.2 through 2.1.6, upgrade to version 2.1.7 or higher.
As a temporary workaround, consider disabling the
downloadArtifactInternal, downloadArtifactPublic, or streamExtractExternal functions until a patch is available.
Restrict access to the vulnerable actions/artifact module to minimize the risk of exploitation.Exploit
Fix
Path traversal
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Actions/Artifact