Vulnerability Description
arduino-esp32 is an Arduino core for the ESP32, ESP32-S2, ESP32-S3, ESP32-C3, ESP32-C6 and ESP32-H2 microcontrollers. The `arduino-esp32` CI is vulnerable to multiple Poisoned Pipeline Execution (PPE) vulnerabilities. Code injection in `tests_results.yml` workflow (`GHSL-2024-169`) and environment Variable injection (`GHSL-2024-170`). These issue have been addressed but users are advised to verify the contents of the downloaded artifacts.
CVSS Score
CRITICAL
Related Weaknesses (CWE)
References
- https://codeql.github.com/codeql-query-help/javascript/js-actions-command-inject
- https://github.com/espressif/arduino-esp32/blob/690bdb511d9f001e2066da2dda2c631a
- https://github.com/espressif/arduino-esp32/security/advisories/GHSA-h52q-xhg2-6j
- https://securitylab.github.com/research/github-actions-preventing-pwn-requests
- https://securitylab.github.com/research/github-actions-untrusted-input
FAQ
What is CVE-2024-45798?
CVE-2024-45798 is a vulnerability with a CVSS score of 9.9 (CRITICAL). arduino-esp32 is an Arduino core for the ESP32, ESP32-S2, ESP32-S3, ESP32-C3, ESP32-C6 and ESP32-H2 microcontrollers. The `arduino-esp32` CI is vulnerable to multiple Poisoned Pipeline Execution (PPE)...
How severe is CVE-2024-45798?
CVE-2024-45798 has been rated CRITICAL with a CVSS base score of 9.9/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2024-45798?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.