Summary
A vulnerability in the GitHub Actions Runner allowed untrusted inputs in environment variables to escape and modify docker command invocations. This affected jobs using container actions, job containers, or service containers. The issue has been patched in multiple versions of the runner.
Affected Services
GitHub Actions
Remediation
Update to one of the patched runner versions: 2.296.2, 2.293.1, 2.289.4, 2.285.2, or 2.283.4. GHES and GHAE customers should patch their instances for automatic runner upgrades.
Tracked CVEs
CVE-2022-39321
References
Contributed by https://github.com/sshayb
Entry Status
Finalized
Disclosure Date
-
Exploitablity Period
Until 2022/10/24
Known ITW Exploitation
-
Detection Methods
Check the version of your GitHub Actions Runner. If using a vulnerable version, review jobs for potential exploitation of environment variables in container-related actions.
Piercing Index Rating
-
Discovered by
Juho Nurminen
