CVE-2024-42482

CVSS 3.1 Score 6.5 of 10 (medium)

Details

Published Aug 12, 2024
Updated: Sep 17, 2024
CWE ID 140

Summary

CVE-2024-42482 is a vulnerability affecting the GitHub action "fish-shop/syntax-check" for syntax checking fish shell files. The issue lies in the lack of proper neutralization of delimiters, specifically command separators and command substitution characters, in the `pattern` input. This flaw enables attackers to inject arbitrary commands by manipulating the input value used in workflows. The potential consequences include exposure or exfiltration of sensitive information, such as environment variables, from the workflow runner. To mitigate this, users are advised to upgrade to version 1.6.12 or the latest release 2.0.0. However, a more immediate remedy may be to exercise caution in controlling workflows and the `pattern` input value utilized by this action.

Ligh bulbPrevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.

Share