CVE-2024-52587

Name of the Vulnerable Software and Affected Versions step-security/harden-runner versions prior to v2.10.2

Description The issue concerns command injection weaknesses via environment variables in step-security/harden-runner. These weaknesses could potentially be exploited under specific conditions. However, due to the current execution order of pre-steps in GitHub Actions and the placement of harden-runner as the first step in a job, the likelihood of exploitation is low. There are no known exploits at this time. The weaknesses are found in several areas, including the use of execSync with interpolated variables, such as process.env.USER and $USER, which an attacker could modify to inject arbitrary shell expressions. Additionally, the expansion of getRunnerTempDir() may be injectable due to its dependence on potentially attacker-controllable environment variables, such as RUNNER TEMP.

Recommendations For versions prior to v2.10.2, update to version 2.10.2, which contains a patch for the command injection weaknesses. As a temporary workaround, consider restricting the modification of environment variables, such as USER and RUNNER TEMP, to minimize the risk of exploitation. Additionally, consider replacing the use of execSync with execFileSync or similar to bypass shell evaluation and reduce the risk of command injection.