Coordinated Disclosure Timeline
- 2021-01-18: Report sent to maintainers.
- 2021-01-21: Maintainers acknowledged.
- 2021-01-21: Issue resolved.
Summary
GitHub workflow in benjamin-maynard/kubernetes-cloud-mysql-backup GitHub repository repository is vulnerable to arbitrary code execution from user comments.
Product
benjamin-maynard/kubernetes-cloud-mysql-backup GitHub repository repository
Tested Version
The latest changeset run-pr-tests.yaml to the date.
Details
Issue: A comment body is used to format a shell command
on:
issue_comment:
types: [created]
...
run: |
echo "Comment Creator: ${{ github.event.comment.user.login }}"
echo "Comment Body: ${{ github.event.comment.body }}"
exit 1
Impact
This vulnerability allows for arbitrary command injection into the bash script which allows for unauthorized modification of the base repository and secrets exfiltration. For a proof a concept on a pull request with a"; exit 0.
Credit
This issue was discovered and reported by GHSL team member @JarLob (Jaroslav Lobačevski).
Contact
You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2021-014 in any communication regarding this issue.