PT-2024-29979 · Fish Shop · Syntax-Check
Marcransome
·
Published
2024-08-12
·
Updated
2024-09-17
·
CVE-2024-42482
CVSS v4.0
6.9
Medium
| Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
fish-shop/syntax-check versions prior to v1.6.12
fish-shop/syntax-check versions prior to v2.0.0
Description
The issue is related to improper neutralization of delimiters in the
pattern input, specifically the command separator ; and command substitution characters ( and ). This allows for arbitrary command injection by modification of the input value used in a workflow, potentially exposing or exfiltrating sensitive information from the workflow runner.Recommendations
For versions prior to v1.6.12, update to version v1.6.12 or the latest release version v2.0.0.
For versions prior to v2.0.0, update to version v2.0.0.
As a temporary workaround, consider careful control of workflows and the
pattern input value used by this action to minimize the risk of exploitation.Exploit
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Syntax-Check