CVE-2024-47179

Improper Input Validation (CWE-20)

Published: Sep 26, 2024 / Updated: 54d ago

010
CVSS 8.8EPSS 0.04%High
CVE info copied to clipboard

Summary

RSSHub, an RSS network, had a vulnerability in its `docker-test-cont.yml` workflow prior to commit 64e00e7. This workflow was susceptible to Artifact Poisoning, which could lead to a full repository takeover. The vulnerability stemmed from the workflow's failure to validate the contents of an artifact downloaded from a triggering workflow. This allowed potential attackers to include malicious files, such as a compromised `package.json`, which could execute arbitrary code within the privileged workflow context.

Impact

The impact of this vulnerability is severe. An attacker could potentially gain full control over the RSSHub repository. This could lead to: 1. Unauthorized code execution in the context of privileged workflows 2. Manipulation or corruption of the RSSHub codebase 3. Potential distribution of compromised versions of RSSHub to downstream users 4. Loss of integrity and confidentiality of the repository data 5. Possible use of the compromised repository for further attacks or malware distribution The CVSS v3.1 base score for this vulnerability is 8.8 (High), with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. This indicates a high severity vulnerability with potential for significant damage.

Exploitation

There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.

Patch

A patch is available. The vulnerability was fixed in commit 64e00e7. RSSHub users should ensure they are using a version of RSSHub that includes this commit or a later version. It's important to note that downstream users of RSSHub were not vulnerable to this issue, but repository maintainers and contributors should update immediately.

Mitigation

To mitigate this vulnerability: 1. Update RSSHub to a version that includes commit 64e00e7 or later. 2. Review and audit any workflows that download and extract artifacts, ensuring proper validation is in place. 3. Implement least privilege principles for CI/CD workflows, limiting the potential impact of similar vulnerabilities. 4. Regularly audit and update GitHub Actions workflows, especially those handling external inputs or artifacts. 5. Consider implementing additional security measures such as code signing for artifacts to prevent tampering. 6. Monitor repository activities closely for any signs of unauthorized changes or suspicious pull requests. Given the high severity of this vulnerability and its potential for full repository takeover, it should be prioritized for immediate patching and mitigation in any environment where RSSHub is used or maintained.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Timeline

First Article

Feedly found the first article mentioning CVE-2024-47179. See article

Sep 26, 2024 at 7:17 PM / Vulners.com RSS Feed
CVE Assignment

NVD published the first details for CVE-2024-47179

Sep 26, 2024 at 8:15 PM
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Sep 26, 2024 at 8:18 PM
CVSS

A CVSS base score of 8.8 has been assigned.

Sep 26, 2024 at 8:20 PM / nvd
EPSS

EPSS Score was set to: 0.04% (Percentile: 10.9%)

Sep 27, 2024 at 9:37 AM
Static CVE Timeline Graph

Affected Systems

Rsshub/rsshub
+null more

Links to Mitre Att&cks

T1562.003: Impair Command History Logging
+null more

Attack Patterns

CAPEC-10: Buffer Overflow via Environment Variables
+null more

News

Security Bulletin 02 Oct 2024 - Cyber Security Agency of Singapore
This makes it possible for authenticated attackers, with Contributor-level access and above, to append additional SQL queries into already existing ...
Update Wed Oct 2 22:37:10 UTC 2024
Update Wed Oct 2 22:37:10 UTC 2024
GHSL-2024-178: Possible full repository takeover for RSSHub through Artifact Poisoning - CVE-2024-47179
Since the contents of the artifact have not been validated, it is possible for a malicious actor to send a Pull Request which uploads, not just the compressed docker image, but also a malicious file with a script to run arbitrary code in the context of the privileged workflow . RSSHub’s workflow is vulnerable to Artifact Poisoning which may lead to a full repository takeover.
CVE-2024-47179
Prior to commit 64e00e7, RSSHub's `docker-test-cont.yml` workflow is vulnerable to Artifact Poisoning, which could have lead to a full repository takeover. The workflow then downloads and extracts an artifact uploaded by the triggering workflow which is expected to contain a single `rsshub.tar.zst` file.
CVE-2024-47179
Prior to commit 64e00e7, RSSHub's `docker-test-cont.yml` workflow is vulnerable to Artifact Poisoning, which could have lead to a full repository takeover. The workflow then downloads and extracts an artifact uploaded by the triggering workflow which is expected to contain a single `rsshub.tar.zst` file.
See 10 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:Low
User Interaction:None
Scope:Unchanged
Confidentiality:High
Integrity:High
Availability Impact:High

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI