We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Crisp.chat (Helpdesk and Chat)

Ok

THREATINT
PUBLISHED

CVE-2024-47179

RSSHub's `docker-test-cont.yml` workflow is vulnerable to Artifact Poisoning which may lead to a full repository takeover.



Description

RSSHub is an RSS network. Prior to commit 64e00e7, RSSHub's `docker-test-cont.yml` workflow is vulnerable to Artifact Poisoning, which could have lead to a full repository takeover. Downstream users of RSSHub are not vulnerable to this issue, and commit 64e00e7 fixed the underlying issue and made the repository no longer vulnerable. The `docker-test-cont.yml` workflow gets triggered when the `PR - Docker build test` workflow completes successfully. It then collects some information about the Pull Request that triggered the triggering workflow and set some labels depending on the PR body and sender. If the PR also contains a `routes` markdown block, it will set the `TEST_CONTINUE` environment variable to `true`. The workflow then downloads and extracts an artifact uploaded by the triggering workflow which is expected to contain a single `rsshub.tar.zst` file. However, prior to commit 64e00e7, it did not validate and the contents were extracted in the root of the workspace overriding any existing files. Since the contents of the artifact were not validated, it is possible for a malicious actor to send a Pull Request which uploads, not just the `rsshub.tar.zst` compressed docker image, but also a malicious `package.json` file with a script to run arbitrary code in the context of the privileged workflow. As of commit 64e00e7, this scenario has been addressed and the RSSHub repository is no longer vulnerable.

Reserved 2024-09-19 | Published 2024-09-26 | Updated 2024-10-02 | Assigner GitHub_M


HIGH: 8.8CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Problem types

CWE-20: Improper Input Validation

Product status

< 64e00e7
affected

References

github.com/...RSSHub/security/advisories/GHSA-9mqc-fm24-h8cw

github.com/...ommit/64e00e743aba2a239508fea97825994e3d687ecc

codeql.github.com/...javascript/js-actions-command-injection

github.com/...SSHub/actions/runs/10141104413/job/28037643579

github.com/...65395f5/.github/workflows/docker-test-cont.yml

securitylab.github.com/advisories/GHSL-2024-178_RSSHub

securitylab.github.com/...ub-actions-preventing-pwn-requests

securitylab.github.com/...rch/github-actions-untrusted-input

cve.org (CVE-2024-47179)

nvd.nist.gov (CVE-2024-47179)

Download JSON

Share this page
https://cve.threatint.com/CVE/CVE-2024-47179

Support options

Helpdesk Chat, Email, Knowledgebase
Telegram Chat
Subscribe to our newsletter to learn more about our work.