high

Docker Command Escaping in GitHub Actions Runner

Published Mon, Oct 24th, 2022

Platforms

Summary

A vulnerability in the GitHub Actions Runner allowed untrusted inputs in environment variables to escape and modify docker command invocations. This affected jobs using container actions, job containers, or service containers. The issue has been patched in multiple versions of the runner.

Affected Services

GitHub Actions

Remediation

Update to one of the patched runner versions: 2.296.2, 2.293.1, 2.289.4, 2.285.2, or 2.283.4. GHES and GHAE customers should patch their instances for automatic runner upgrades.

Tracked CVEs

CVE-2022-39321

References

https://github.com/advisories/GHSA-2c6m-6gqh-6qg3

Contributed by https://github.com/sshayb

Entry Status

Finalized

Disclosure Date

Exploitability Period

Until 2022/10/24

Known ITW Exploitation

Detection Methods

Check the version of your GitHub Actions Runner. If using a vulnerable version, review jobs for potential exploitation of environment variables in container-related actions.

Piercing Index Rating

Discovered by

Juho Nurminen

More vulnerabilities...

BlueBleed

In September 22', SOCRadar discovered an insecure public Azure blob storage owned by Microsoft (olyympusv2.blob.core.windows[.]net). This blob storage was used for storing emails and other document...

SOCRadarOct 19, 2022

medium

Azure Arc-enabled Kubernetes privilege escalation

Azure Arc allows customers to connect on-premises Kubernetes clusters to Azure. This is facilitated by middleware (the Azure Arc-enabled Kubernetes agent) which includes a "cluster connect" feature...

Mo Khan, MicrosoftOct 11, 2022

medium

FabriXss

Service Fabric Explorer (SFX) is a tool for inspecting and managing Azure Service Fabric clusters. An attacker with existing access to a "Deployer" type user with CreateComposeDeployment permission...

Lidor Ben Shitrit, Roee Sag...Oct 11, 2022

View all