Bug 2327147 (CVE-2024-52587) - CVE-2024-52587 harden-runner: Harden-Runner has command injection weaknesses in `setup.ts` and `arc-runner.ts`
Summary: CVE-2024-52587 harden-runner: Harden-Runner has command injection weaknesses ...
Keywords:
Status: NEW
Alias: CVE-2024-52587
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2024-11-18 23:01 UTC by OSIDB Bzimport
Modified: 2024-11-20 12:16 UTC (History)
5 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2024-11-18 23:01:03 UTC 
StepSecurity's Harden-Runner provides network egress filtering and runtime security for GitHub-hosted and self-hosted runners. Versions of step-security/harden-runner prior to v2.10.2 contain multiple command injection weaknesses via environment variables that could potentially be exploited under specific conditions. However, due to the current execution order of pre-steps in GitHub Actions and the placement of harden-runner as the first step in a job, the likelihood of exploitation is low as the Harden-Runner action reads the environment variable during the pre-step stage. There are no known exploits at this time. Version 2.10.2 contains a patch.
Note You need to log in before you can comment on or make changes to this bug.