Vulnerability Details : CVE-2023-22726
act is a project which allows for local running of github actions. The artifact server that stores artifacts from Github Action runs does not sanitize path inputs. This allows an attacker to download and overwrite arbitrary files on the host from a Github Action. This issue may lead to privilege escalation. The /upload endpoint is vulnerable to path traversal as filepath is user controlled, and ultimately flows into os.Mkdir and os.Open. The /artifact endpoint is vulnerable to path traversal as the path is variable is user controlled, and the specified file is ultimately returned by the server. This has been addressed in version 0.2.40. Users are advised to upgrade. Users unable to upgrade may, during implementation of Open and OpenAtEnd for FS, ensure to use ValidPath() to check against path traversal or clean the user-provided paths manually.
Vulnerability category: Directory traversalGain privilege
Products affected by CVE-2023-22726
- cpe:2.3:a:act_project:act:*:*:*:*:*:go:*:*
Exploit prediction scoring system (EPSS) score for CVE-2023-22726
0.49%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 77 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2023-22726
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
8.8
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
2.8
|
5.9
|
NIST | |
8.0
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H |
2.1
|
5.9
|
GitHub, Inc. |
CWE ids for CVE-2023-22726
-
The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.Assigned by: nvd@nist.gov (Primary)
-
The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.Assigned by: security-advisories@github.com (Secondary)
References for CVE-2023-22726
-
https://github.com/nektos/act/blob/v0.2.35/pkg/artifacts/server.go#L245
act/server.go at v0.2.35 · nektos/act · GitHubThird Party Advisory
-
https://github.com/nektos/act/commit/63ae215071f94569d910964bdee866d91d6e3a10
fix: update artifact server to address GHSL-2023-004 (#1565) · nektos/act@63ae215 · GitHubPatch;Third Party Advisory
-
https://github.com/nektos/act/issues/1553
Github Security Lab: GHSL-2023-004 · Issue #1553 · nektos/act · GitHubIssue Tracking;Third Party Advisory
-
https://securitylab.github.com/advisories/GHSL-2023-004_act/
GHSL-2023-004: Arbitrary file upload and download in act - CVE-2023-22726 | GitHub Security LabExploit;Third Party Advisory
-
https://github.com/nektos/act/security/advisories/GHSA-pc99-qmg4-rcff
Github Security Lab: GHSL-2023-004 · Advisory · nektos/act · GitHubExploit;Third Party Advisory
-
https://github.com/nektos/act/blob/master/pkg/artifacts/server.go#L65
act/server.go at master · nektos/act · GitHubThird Party Advisory
-
https://github.com/nektos/act/blob/v0.2.35/pkg/artifacts/server.go#LL103C2-L103C2
act/server.go at v0.2.35 · nektos/act · GitHubThird Party Advisory
Jump to