CVE-2024-52587

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') (CWE-78)

Published: Nov 18, 2024 / Updated: 1d ago

010
CVSS 2.7EPSS 0.05%Low
CVE info copied to clipboard

Summary

StepSecurity's Harden-Runner provides network egress filtering and runtime security for GitHub-hosted and self-hosted runners. Versions of step-security/harden-runner prior to v2.10.2 contain multiple command injection weaknesses via environment variables that could potentially be exploited under specific conditions. However, due to the current execution order of pre-steps in GitHub Actions and the placement of harden-runner as the first step in a job, the likelihood of exploitation is low as the Harden-Runner action reads the environment variable during the pre-step stage. There are no known exploits at this time.

Impact

If exploited, this vulnerability could allow an attacker to inject malicious commands via environment variables. This could potentially lead to unauthorized access, data breaches, or execution of arbitrary code on the affected systems. However, the impact is mitigated by the current execution order of pre-steps in GitHub Actions and the placement of harden-runner as the first step in a job, which significantly reduces the likelihood of successful exploitation. The CVSS v3.1 base score is 8.8 (High), with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, indicating high potential impact on confidentiality, integrity, and availability if exploited.

Exploitation

There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.

Patch

Version 2.10.2 of step-security/harden-runner contains a patch for this vulnerability.

Mitigation

1. Update step-security/harden-runner to version 2.10.2 or later. 2. Review and validate all environment variables used in GitHub Actions workflows, especially those that interact with the Harden-Runner. 3. Implement strict input validation for any user-supplied data that may be used in environment variables. 4. Maintain the Harden-Runner action as the first step in your GitHub Actions jobs to minimize the risk of exploitation. 5. Monitor for any suspicious activity or unexpected behavior in your GitHub Actions workflows.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Timeline

Vendor Advisory

GitHub Advisories released a security advisory.

Nov 18, 2024 at 8:57 PM
CVE Assignment

NVD published the first details for CVE-2024-52587

Nov 18, 2024 at 10:15 PM
CVSS

A CVSS base score of 2.7 has been assigned.

Nov 18, 2024 at 10:20 PM / nvd
First Article

Feedly found the first article mentioning CVE-2024-52587. See article

Nov 18, 2024 at 10:24 PM / National Vulnerability Database
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Nov 18, 2024 at 10:24 PM
Vendor Advisory

RedHat CVE advisory released a security advisory (CVE-2024-52587).

Nov 18, 2024 at 11:55 PM
CVSS

A CVSS base score of 3.9 has been assigned.

Nov 18, 2024 at 11:55 PM / redhat-cve-advisories
EPSS

EPSS Score was set to: 0.05% (Percentile: 17.4%)

Nov 19, 2024 at 9:42 AM
CVSS

A CVSS base score of 8.8 has been assigned.

Nov 19, 2024 at 3:40 PM / nvd
Static CVE Timeline Graph

Affected Systems

Github/github
+null more

Patches

Github Advisory
+null more

Attack Patterns

CAPEC-108: Command Line Execution through SQL Injection
+null more

Vendor Advisory

[GHSA-g85v-wf27-67xc] Harden-Runner has a command injection weaknesses in `setup.ts` and `arc-runner.ts`
Versions of step-security/harden-runner prior to v2.10.2 contain multiple command injection weaknesses via environment variables that could potentially be exploited under specific conditions. arc-runner:40-44 3 has an execSync with multiple string

News

CVE-2024-52587 - StepSecurity's Harden-Runner Command Injection Vulnerability November 18, 2024 at 10:15PM https:// ift.tt/P3fFhWK # CVE # IOC # CTI # ThreatIntelligence # ThreatIntel # Cybersecurity # Recon
CVE-2024-52587
Versions of step-security/harden-runner prior to v2.10.2 contain multiple command injection weaknesses via environment variables that could potentially be exploited under specific conditions. However, due to the current execution order of pre-steps in GitHub Actions and the placement of harden-runner as the first step in a job, the likelihood of exploitation is low as the Harden-Runner action reads the environment variable during the pre-step stage.
NA - CVE-2024-52587 - StepSecurity's Harden-Runner provides...
StepSecurity's Harden-Runner provides network egress filtering and runtime security for GitHub-hosted and self-hosted runners. Versions of step-security/harden-runner prior to v2.10.2 contain...
CVE-2024-52587
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') No description is available for this CVE.
[GHSA-g85v-wf27-67xc] Harden-Runner has a command injection weaknesses in `setup.ts` and `arc-runner.ts`
Versions of step-security/harden-runner prior to v2.10.2 contain multiple command injection weaknesses via environment variables that could potentially be exploited under specific conditions. arc-runner:40-44 3 has an execSync with multiple string
See 5 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:Low
User Interaction:None
Scope:Unchanged
Confidentiality:High
Integrity:High
Availability Impact:High

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI