CVE - CVE-2024-47179

CVE-ID
CVE-2024-47179	Learn more at National Vulnerability Database (NVD) • CVSS Severity Rating • Fix Information • Vulnerable Software Versions • SCAP Mappings • CPE Information
Description
RSSHub is an RSS network. Prior to commit 64e00e7, RSSHub's `docker-test-cont.yml` workflow is vulnerable to Artifact Poisoning, which could have lead to a full repository takeover. Downstream users of RSSHub are not vulnerable to this issue, and commit 64e00e7 fixed the underlying issue and made the repository no longer vulnerable. The `docker-test-cont.yml` workflow gets triggered when the `PR - Docker build test` workflow completes successfully. It then collects some information about the Pull Request that triggered the triggering workflow and set some labels depending on the PR body and sender. If the PR also contains a `routes` markdown block, it will set the `TEST_CONTINUE` environment variable to `true`. The workflow then downloads and extracts an artifact uploaded by the triggering workflow which is expected to contain a single `rsshub.tar.zst` file. However, prior to commit 64e00e7, it did not validate and the contents were extracted in the root of the workspace overriding any existing files. Since the contents of the artifact were not validated, it is possible for a malicious actor to send a Pull Request which uploads, not just the `rsshub.tar.zst` compressed docker image, but also a malicious `package.json` file with a script to run arbitrary code in the context of the privileged workflow. As of commit 64e00e7, this scenario has been addressed and the RSSHub repository is no longer vulnerable.
References
Note: References are provided for the convenience of the reader to help distinguish between vulnerabilities. The list is not intended to be complete.
MISC:https://codeql.github.com/codeql-query-help/javascript/js-actions-command-injection URL:https://codeql.github.com/codeql-query-help/javascript/js-actions-command-injection MISC:https://github.com/DIYgod/RSSHub/actions/runs/10141104413/job/28037643579#step:1:17 URL:https://github.com/DIYgod/RSSHub/actions/runs/10141104413/job/28037643579#step:1:17 MISC:https://github.com/DIYgod/RSSHub/blob/e08733f94c81440d19ee6a5fd5e915e9a65395f5/.github/workflows/docker-test-cont.yml URL:https://github.com/DIYgod/RSSHub/blob/e08733f94c81440d19ee6a5fd5e915e9a65395f5/.github/workflows/docker-test-cont.yml MISC:https://github.com/DIYgod/RSSHub/commit/64e00e743aba2a239508fea97825994e3d687ecc URL:https://github.com/DIYgod/RSSHub/commit/64e00e743aba2a239508fea97825994e3d687ecc MISC:https://github.com/DIYgod/RSSHub/security/advisories/GHSA-9mqc-fm24-h8cw URL:https://github.com/DIYgod/RSSHub/security/advisories/GHSA-9mqc-fm24-h8cw MISC:https://securitylab.github.com/research/github-actions-preventing-pwn-requests URL:https://securitylab.github.com/research/github-actions-preventing-pwn-requests MISC:https://securitylab.github.com/research/github-actions-untrusted-input URL:https://securitylab.github.com/research/github-actions-untrusted-input
Assigning CNA
GitHub (maintainer security advisories)
Date Record Created
20240919	Disclaimer: The record creation date may reflect when the CVE ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.
Phase (Legacy)
Assigned (20240919)
Votes (Legacy)

Comments (Legacy)

Proposed (Legacy)
N/A
This is an record on the CVE List, which provides common identifiers for publicly known cybersecurity vulnerabilities.
Search CVE Using Keywords: You can also search by reference using the CVE Reference Maps.
For More Information: CVE Request Web Form (select "Other" from dropdown)