CVE-2024-52587

CVSS 3.1 Score 8.8 of 10 (high)

Details

Published Nov 18, 2024
Updated: Nov 19, 2024
CWE ID 78

Summary

CVE-2024-52587 is a vulnerability affecting StepSecurity's Harden-Runner, a network egress filtering and runtime security solution for GitHub-hosted and self-hosted runners. Earlier versions of step-security/harden-runner, specifically those below v2.10.2, have multiple command injection weaknesses that can be exploited via environment variables. The risk of exploitation is low due to the current execution order of pre-steps in GitHub Actions and the placement of Harden-Runner as the first step in a job. No known exploits have been reported, and users are advised to update to version 2.10.2, which contains a patch to address the issue.

Ligh bulbPrevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.

Share