Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

x/vulndb: potential Go vuln in github.com/nektos/act: CVE-2023-22726 #1506

Closed
GoVulnBot opened this issue Jan 20, 2023 · 2 comments
Closed

x/vulndb: potential Go vuln in github.com/nektos/act: CVE-2023-22726 #1506

GoVulnBot opened this issue Jan 20, 2023 · 2 comments
Assignees
@julieqiu
Labels
duplicate excluded: EFFECTIVELY_PRIVATE This vulnerability exists in a package can be imported, but isn't meant to be outside that module.

Comments

@GoVulnBot
Copy link

CVE-2023-22726 references github.com/nektos/act, which may be a Go module.

Description:
act is a project which allows for local running of github actions. The artifact server that stores artifacts from Github Action runs does not sanitize path inputs. This allows an attacker to download and overwrite arbitrary files on the host from a Github Action. This issue may lead to privilege escalation. The /upload endpoint is vulnerable to path traversal as filepath is user controlled, and ultimately flows into os.Mkdir and os.Open. The /artifact endpoint is vulnerable to path traversal as the path is variable is user controlled, and the specified file is ultimately returned by the server. This has been addressed in version 0.2.40. Users are advised to upgrade. Users unable to upgrade may, during implementation of Open and OpenAtEnd for FS, ensure to use ValidPath() to check against path traversal or clean the user-provided paths manually.

References:

Cross references:
No existing reports found with this module or alias.

See doc/triage.md for instructions on how to triage this report.

modules:
  - module: github.com/nektos/act
    packages:
      - package: act
description: |
    act is a project which allows for local running of github actions. The artifact server that stores artifacts from Github Action runs does not sanitize path inputs. This allows an attacker to download and overwrite arbitrary files on the host from a Github Action. This issue may lead to privilege escalation. The /upload endpoint is vulnerable to path traversal as filepath is user controlled, and ultimately flows into os.Mkdir and os.Open. The /artifact endpoint is vulnerable to path traversal as the path is variable is user controlled, and the specified file is ultimately returned by the server. This has been addressed in version 0.2.40. Users are advised to upgrade. Users unable to upgrade may, during implementation of Open and OpenAtEnd for FS, ensure to use ValidPath() to check against path traversal or clean the user-provided paths manually.
cves:
  - CVE-2023-22726
references:
  - web: https://github.com/nektos/act/security/advisories/GHSA-pc99-qmg4-rcff
  - web: https://github.com/nektos/act/issues/1553
  - fix: https://github.com/nektos/act/commit/63ae215071f94569d910964bdee866d91d6e3a10
  - web: https://github.com/nektos/act/blob/master/pkg/artifacts/server.go#L65
  - web: https://github.com/nektos/act/blob/v0.2.35/pkg/artifacts/server.go#L245
  - web: https://github.com/nektos/act/blob/v0.2.35/pkg/artifacts/server.go#LL103C2-L103C2
  - web: https://securitylab.github.com/advisories/GHSL-2023-004_act/
@julieqiu julieqiu added the excluded: EFFECTIVELY_PRIVATE This vulnerability exists in a package can be imported, but isn't meant to be outside that module. label Jan 24, 2023
@julieqiu julieqiu self-assigned this Jan 30, 2023
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/464316 mentions this issue: data/excluded: batch add excluded reports

@julieqiu
Copy link
Member

Duplicate of #1504

@julieqiu julieqiu marked this as a duplicate of #1504 Jan 31, 2023
gopherbot pushed a commit that referenced this issue Jan 31, 2023
@julieqiu @gopherbot
data/excluded: batch add excluded reports
395ce96 
Add reports:
- GO-2023-1509
- GO-2023-1506
- GO-2023-1504
- GO-2023-1502
- GO-2023-1492
- GO-2023-1491
- GO-2023-1388
- GO-2023-1377
- GO-2023-1500
- GO-2023-1499
- GO-2023-1498
- GO-2023-1496
- GO-2023-1468
- GO-2023-1466
- GO-2023-1463
- GO-2023-1283

Fixes #1509
Fixes #1506
Fixes #1504
Fixes #1502
Fixes #1492
Fixes #1491
Fixes #1388
Fixes #1377
Fixes #1500
Fixes #1499
Fixes #1498
Fixes #1496
Fixes #1468
Fixes #1466
Fixes #1463
Fixes #1283

Change-Id: Ibe656933231f6f86ad496bd2d1a6c1c506c504cc
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/464316
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
Run-TryBot: Tatiana Bradley <tatianabradley@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Julie Qiu <julieqiu@google.com>
Run-TryBot: Julie Qiu <julieqiu@google.com>
Auto-Submit: Julie Qiu <julieqiu@google.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@julieqiu julieqiu

Labels
duplicate excluded: EFFECTIVELY_PRIVATE This vulnerability exists in a package can be imported, but isn't meant to be outside that module.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@julieqiu @gopherbot @GoVulnBot