CVE-2023-22726 — HIGH (8.0)

Q: How severe is CVE-2023-22726?

CVE-2023-22726 has been rated HIGH with a CVSS base score of 8.0/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2023-22726?

Check the references section above for vendor advisories and patch information. Affected products include: Act Project Act.

Vulnerability Description

act is a project which allows for local running of github actions. The artifact server that stores artifacts from Github Action runs does not sanitize path inputs. This allows an attacker to download and overwrite arbitrary files on the host from a Github Action. This issue may lead to privilege escalation. The /upload endpoint is vulnerable to path traversal as filepath is user controlled, and ultimately flows into os.Mkdir and os.Open. The /artifact endpoint is vulnerable to path traversal as the path is variable is user controlled, and the specified file is ultimately returned by the server. This has been addressed in version 0.2.40. Users are advised to upgrade. Users unable to upgrade may, during implementation of Open and OpenAtEnd for FS, ensure to use ValidPath() to check against path traversal or clean the user-provided paths manually.

CVSS Score

8.0

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Act Project	Act	< 0.2.40

Related Weaknesses (CWE)

CWE-434 CWE-22

References

https://github.com/nektos/act/blob/master/pkg/artifacts/server.go#L65Third Party Advisory
https://github.com/nektos/act/blob/v0.2.35/pkg/artifacts/server.go#L245Third Party Advisory
https://github.com/nektos/act/blob/v0.2.35/pkg/artifacts/server.go#LL103C2-L103CThird Party Advisory
https://github.com/nektos/act/commit/63ae215071f94569d910964bdee866d91d6e3a10PatchThird Party Advisory
https://github.com/nektos/act/issues/1553Issue TrackingThird Party Advisory
https://github.com/nektos/act/security/advisories/GHSA-pc99-qmg4-rcffExploitThird Party Advisory
https://securitylab.github.com/advisories/GHSL-2023-004_act/ExploitThird Party Advisory
https://github.com/nektos/act/blob/master/pkg/artifacts/server.go#L65Third Party Advisory
https://github.com/nektos/act/blob/v0.2.35/pkg/artifacts/server.go#L245Third Party Advisory
https://github.com/nektos/act/blob/v0.2.35/pkg/artifacts/server.go#LL103C2-L103CThird Party Advisory
https://github.com/nektos/act/commit/63ae215071f94569d910964bdee866d91d6e3a10PatchThird Party Advisory
https://github.com/nektos/act/issues/1553Issue TrackingThird Party Advisory
https://github.com/nektos/act/security/advisories/GHSA-pc99-qmg4-rcffExploitThird Party Advisory
https://securitylab.github.com/advisories/GHSL-2023-004_act/ExploitThird Party Advisory

FAQ

What is CVE-2023-22726?

CVE-2023-22726 is a vulnerability with a CVSS score of 8.0 (HIGH). act is a project which allows for local running of github actions. The artifact server that stores artifacts from Github Action runs does not sanitize path inputs. This allows an attacker to download ...

How severe is CVE-2023-22726?

CVE-2023-22726 has been rated HIGH with a CVSS base score of 8.0/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2023-22726?

Check the references section above for vendor advisories and patch information. Affected products include: Act Project Act.