CVE-2024-52587
CVSS 3.1 Score 8.8 of 10 (high)
Details
Summary
CVE-2024-52587 is a vulnerability affecting StepSecurity's Harden-Runner, a network egress filtering and runtime security solution for GitHub-hosted and self-hosted runners. Earlier versions of step-security/harden-runner, specifically those below v2.10.2, have multiple command injection weaknesses that can be exploited via environment variables. The risk of exploitation is low due to the current execution order of pre-steps in GitHub Actions and the placement of Harden-Runner as the first step in a job. No known exploits have been reported, and users are advised to update to version 2.10.2, which contains a patch to address the issue.
Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.