Attacker Value

Unknown

(0 users assessed)

Exploitability

Unknown

(0 users assessed)

User Interaction

Unknown

Privileges Required

Unknown

Attack Vector

Unknown

CVE-2024-47179

Disclosure Date: September 26, 2024 •

CVE-2024-47179

MITRE ATT&CK

Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

RSSHub is an RSS network. Prior to commit 64e00e7, RSSHub’s docker-test-cont.yml workflow is vulnerable to Artifact Poisoning, which could have lead to a full repository takeover. Downstream users of RSSHub are not vulnerable to this issue, and commit 64e00e7 fixed the underlying issue and made the repository no longer vulnerable. The docker-test-cont.yml workflow gets triggered when the PR - Docker build test workflow completes successfully. It then collects some information about the Pull Request that triggered the triggering workflow and set some labels depending on the PR body and sender. If the PR also contains a routes markdown block, it will set the TEST_CONTINUE environment variable to true. The workflow then downloads and extracts an artifact uploaded by the triggering workflow which is expected to contain a single rsshub.tar.zst file. However, prior to commit 64e00e7, it did not validate and the contents were extracted in the root of the workspace overriding any existing files. Since the contents of the artifact were not validated, it is possible for a malicious actor to send a Pull Request which uploads, not just the rsshub.tar.zst compressed docker image, but also a malicious package.json file with a script to run arbitrary code in the context of the privileged workflow. As of commit 64e00e7, this scenario has been addressed and the RSSHub repository is no longer vulnerable.

Add Assessment

No one has assessed this topic. Be the first to add your voice to the community.

CVSS V3 Severity and Metrics

Data provided by the National Vulnerability Database (NVD)

Base Score:

None

Impact Score:

Unknown

Exploitability Score:

Unknown

Vector:

Unknown

Attack Vector (AV):

Unknown

Attack Complexity (AC):

Unknown

Privileges Required (PR):

Unknown

User Interaction (UI):

Unknown

Scope (S):

Unknown

Confidentiality (C):

Unknown

Integrity (I):

Unknown

Availability (A):

Unknown

Vendors

DIYgod

Products

RSSHub

References

Canonical

CVE-2024-47179 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-47179)

Miscellaneous

https://github.com/DIYgod/RSSHub/security/advisories/GHSA-9mqc-fm24-h8cw

https://github.com/DIYgod/RSSHub/commit/64e00e743aba2a239508fea97825994e3d687ecc

https://codeql.github.com/codeql-query-help/javascript/js-actions-command-injection

https://github.com/DIYgod/RSSHub/actions/runs/10141104413/job/28037643579#step:1:17

https://github.com/DIYgod/RSSHub/blob/e08733f94c81440d19ee6a5fd5e915e9a65395f5/.github/workflows/docker-test-cont.yml

https://securitylab.github.com/research/github-actions-preventing-pwn-requests

https://securitylab.github.com/research/github-actions-untrusted-input

Rapid7

Unknown

CVE-2024-47179

Unknown

Unknown

Unknown

Unknown

Unknown

CVE-2024-47179

Description

Add Assessment

CVSS V3 Severity and Metrics

General Information

Vendors

Products

References

Canonical

Miscellaneous

Additional Info

Technical Analysis

Unknown

CVE-2024-47179

Unknown

Unknown

Unknown

Unknown

Unknown

CVE-2024-47179

Description

Add Assessment

CVSS V3 Severity and Metrics

General Information

Vendors

Products

References

Canonical

Miscellaneous

Additional Info

Technical Analysis

Quick Cookie Notification