We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Crisp.chat (Helpdesk and Chat)

Ok

THREATINT
PUBLISHED

CVE-2024-45798

Multiple Poisoned Pipeline Execution (PPE) vulnerabilities



Description

arduino-esp32 is an Arduino core for the ESP32, ESP32-S2, ESP32-S3, ESP32-C3, ESP32-C6 and ESP32-H2 microcontrollers. The `arduino-esp32` CI is vulnerable to multiple Poisoned Pipeline Execution (PPE) vulnerabilities. Code injection in `tests_results.yml` workflow (`GHSL-2024-169`) and environment Variable injection (`GHSL-2024-170`). These issue have been addressed but users are advised to verify the contents of the downloaded artifacts.

Reserved 2024-09-09 | Published 2024-09-17 | Updated 2024-09-18 | Assigner GitHub_M


CRITICAL: 10.0CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Problem types

CWE-20: Improper Input Validation

CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

CWE-94: Improper Control of Generation of Code ('Code Injection')

Product status

Commits prior to a7cec020df8f1a815bd8dfd2559f51a2216bcf1c
affected

References

github.com/...-esp32/security/advisories/GHSA-h52q-xhg2-6jw8

codeql.github.com/...javascript/js-actions-command-injection

github.com/...1a3eee270f/.github/workflows/tests_results.yml

securitylab.github.com/...ub-actions-preventing-pwn-requests

securitylab.github.com/...rch/github-actions-untrusted-input

cve.org (CVE-2024-45798)

nvd.nist.gov (CVE-2024-45798)

Download JSON

Share this page
https://cve.threatint.com/CVE/CVE-2024-45798

Support options

Helpdesk Chat, Email, Knowledgebase
Telegram Chat
Subscribe to our newsletter to learn more about our work.