Vulnerability-Lookup

CVE-2024-42482 (GCVE-0-2024-42482)

Vulnerability from cvelistv5 – Published: 2024-08-12 15:35 – Updated: 2024-08-13 17:48

Title

fish-shop/syntax-check Improper Neutralization of Delimiters

Summary

fish-shop/syntax-check is a GitHub action for syntax checking fish shell files. Improper neutralization of delimiters in the `pattern` input (specifically the command separator `;` and command substitution characters `(` and `)`) mean that arbitrary command injection is possible by modification of the input value used in a workflow. This has the potential for exposure or exfiltration of sensitive information from the workflow runner, such as might be achieved by sending environment variables to an external entity. It is recommended that users update to the patched version `v1.6.12` or the latest release version `v2.0.0`, however remediation may be possible through careful control of workflows and the `pattern` input value used by this action.

Severity ?

4.8 (Medium)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

CWE

CWE-140 - Improper Neutralization of Delimiters

Assigner

GitHub_M

References

URL

Tags

	https://github.com/fish-shop/syntax-check/securit…	x_refsource_CONFIRM
	https://github.com/fish-shop/syntax-check/commit/…	x_refsource_MISC
	https://github.com/fish-shop/syntax-check/commit/…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	fish-shop	syntax-check	Affected: < 1.6.12

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-42482",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-08-13T17:36:32.903995Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-08-13T17:48:18.971Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "syntax-check",
          "vendor": "fish-shop",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.6.12"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "fish-shop/syntax-check is a GitHub action for syntax checking fish shell files. Improper neutralization of delimiters in the `pattern` input (specifically the command separator `;` and command substitution characters `(` and `)`) mean that arbitrary command injection is possible by modification of the input value used in a workflow. This has the potential for exposure or exfiltration of sensitive information from the workflow runner, such as might be achieved by sending environment variables to an external entity. It is recommended that users update to the patched version `v1.6.12` or the latest release version `v2.0.0`, however remediation may be possible through careful control of workflows and the `pattern` input value used by this action."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.8,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-140",
              "description": "CWE-140: Improper Neutralization of Delimiters",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-08-12T15:35:57.157Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/fish-shop/syntax-check/security/advisories/GHSA-xj87-mqvh-88w2",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/fish-shop/syntax-check/security/advisories/GHSA-xj87-mqvh-88w2"
        },
        {
          "name": "https://github.com/fish-shop/syntax-check/commit/91e6817c48ad475542fe4e78139029b036a53b03",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/fish-shop/syntax-check/commit/91e6817c48ad475542fe4e78139029b036a53b03"
        },
        {
          "name": "https://github.com/fish-shop/syntax-check/commit/c2cb11395e21119ff8d6e7ea050430ee7d6f49ca",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/fish-shop/syntax-check/commit/c2cb11395e21119ff8d6e7ea050430ee7d6f49ca"
        }
      ],
      "source": {
        "advisory": "GHSA-xj87-mqvh-88w2",
        "discovery": "UNKNOWN"
      },
      "title": "fish-shop/syntax-check Improper Neutralization of Delimiters"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2024-42482",
    "datePublished": "2024-08-12T15:35:57.157Z",
    "dateReserved": "2024-08-02T14:13:04.617Z",
    "dateUpdated": "2024-08-13T17:48:18.971Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-42482\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-08-13T17:36:32.903995Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-08-13T17:48:14.752Z\"}}], \"cna\": {\"title\": \"fish-shop/syntax-check Improper Neutralization of Delimiters\", \"source\": {\"advisory\": \"GHSA-xj87-mqvh-88w2\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 4.8, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"LOW\"}}], \"affected\": [{\"vendor\": \"fish-shop\", \"product\": \"syntax-check\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 1.6.12\"}]}], \"references\": [{\"url\": \"https://github.com/fish-shop/syntax-check/security/advisories/GHSA-xj87-mqvh-88w2\", \"name\": \"https://github.com/fish-shop/syntax-check/security/advisories/GHSA-xj87-mqvh-88w2\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/fish-shop/syntax-check/commit/91e6817c48ad475542fe4e78139029b036a53b03\", \"name\": \"https://github.com/fish-shop/syntax-check/commit/91e6817c48ad475542fe4e78139029b036a53b03\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/fish-shop/syntax-check/commit/c2cb11395e21119ff8d6e7ea050430ee7d6f49ca\", \"name\": \"https://github.com/fish-shop/syntax-check/commit/c2cb11395e21119ff8d6e7ea050430ee7d6f49ca\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"fish-shop/syntax-check is a GitHub action for syntax checking fish shell files. Improper neutralization of delimiters in the `pattern` input (specifically the command separator `;` and command substitution characters `(` and `)`) mean that arbitrary command injection is possible by modification of the input value used in a workflow. This has the potential for exposure or exfiltration of sensitive information from the workflow runner, such as might be achieved by sending environment variables to an external entity. It is recommended that users update to the patched version `v1.6.12` or the latest release version `v2.0.0`, however remediation may be possible through careful control of workflows and the `pattern` input value used by this action.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-140\", \"description\": \"CWE-140: Improper Neutralization of Delimiters\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2024-08-12T15:35:57.157Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-42482\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-08-13T17:48:18.971Z\", \"dateReserved\": \"2024-08-02T14:13:04.617Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2024-08-12T15:35:57.157Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

FKIE_CVE-2024-42482

Vulnerability from fkie_nvd - Published: 2024-08-12 16:15 - Updated: 2024-09-17 12:20

Severity ?

4.8 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Summary

References

URL	Tags
security-advisories@github.com	https://github.com/fish-shop/syntax-check/commit/91e6817c48ad475542fe4e78139029b036a53b03	Patch
security-advisories@github.com	https://github.com/fish-shop/syntax-check/commit/c2cb11395e21119ff8d6e7ea050430ee7d6f49ca	Patch
security-advisories@github.com	https://github.com/fish-shop/syntax-check/security/advisories/GHSA-xj87-mqvh-88w2	Vendor Advisory

Impacted products

	Vendor	Product	Version
	fish-shop	syntax-check	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:fish-shop:syntax-check:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "42DC3CBC-F85C-4E09-B5FA-921C4D3399CF",
              "versionEndExcluding": "1.6.12",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "fish-shop/syntax-check is a GitHub action for syntax checking fish shell files. Improper neutralization of delimiters in the `pattern` input (specifically the command separator `;` and command substitution characters `(` and `)`) mean that arbitrary command injection is possible by modification of the input value used in a workflow. This has the potential for exposure or exfiltration of sensitive information from the workflow runner, such as might be achieved by sending environment variables to an external entity. It is recommended that users update to the patched version `v1.6.12` or the latest release version `v2.0.0`, however remediation may be possible through careful control of workflows and the `pattern` input value used by this action."
    },
    {
      "lang": "es",
      "value": "fish-shop/syntax-check es una acci\u00f3n de GitHub para verificar la sintaxis de fish shell files. La neutralizaci\u00f3n inadecuada de los delimitadores en la entrada `patr\u00f3n` (espec\u00edficamente el separador de comando `;` y los caracteres de sustituci\u00f3n de comando `(` y `)`) significa que la inyecci\u00f3n de comando arbitraria es posible mediante la modificaci\u00f3n del valor de entrada utilizado en un flujo de trabajo. Esto tiene el potencial de exponer o exfiltrar informaci\u00f3n confidencial del ejecutor del flujo de trabajo, como podr\u00eda lograrse enviando variables de entorno a una entidad externa. Se recomienda que los usuarios actualicen a la versi\u00f3n parcheada `v1.6.12` o a la \u00faltima versi\u00f3n `v2.0.0`; sin embargo, es posible realizar una correcci\u00f3n mediante un control cuidadoso de los flujos de trabajo y el valor de entrada del `patr\u00f3n` utilizado por esta acci\u00f3n."
    }
  ],
  "id": "CVE-2024-42482",
  "lastModified": "2024-09-17T12:20:58.323",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 4.8,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.2,
        "impactScore": 2.5,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 2.5,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2024-08-12T16:15:16.213",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/fish-shop/syntax-check/commit/91e6817c48ad475542fe4e78139029b036a53b03"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/fish-shop/syntax-check/commit/c2cb11395e21119ff8d6e7ea050430ee7d6f49ca"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://github.com/fish-shop/syntax-check/security/advisories/GHSA-xj87-mqvh-88w2"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-140"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "NVD-CWE-Other"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

GHSA-XJ87-MQVH-88W2

Vulnerability from github – Published: 2024-08-12 18:25 – Updated: 2024-08-12 19:16

Summary

fish-shop/syntax-check Improper Neutralization of Delimiters

Details

Impact

Improper neutralisation of delimiters in the pattern input (specifically the command separator ; and command substitution characters ( and )) mean that arbitrary command injection is possible by modification of the input value used in a workflow. This has the potential for exposure or exfiltration of sensitive information from the workflow runner, such as might be achieved by sending environment variables to an external entity.

Patches

As of this writing, the issue has been patched for versions in the v1.x.x release series in release v1.6.12 (also tagged as v1.6 and v1). The latest available release v2.0.0 also includes a corresponding patch (also tagged as v2.0 and v2).

Users should upgrade to at least the patched version v1.6.12 or preferably the latest available version v2.0.0. Workflows that use the action ref v1 will automatically receive the patched version v1.6.12 in future workflow runs.

Patch summary:

Release series	Patched tags	Patched commit hashes
`1.x.x`	`v1.6.12`, `v1.6`, `v1`	`91e6817c48ad475542fe4e78139029b036a53b03`
`2.x.x`	`v2.0.0`, `v2.0`, `v2`	`c2cb11395e21119ff8d6e7ea050430ee7d6f49ca`

Workarounds

Is it recommended that users update to the patched version v1.6.12 or the latest release version v2.0.0, however remediation may be possible through careful control of workflows and the pattern input value used by this action.

References

Severity ?

4.8 (Medium)


                  
                    CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

6.9 (Medium)


                  
                    CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "GitHub Actions",
        "name": "fish-shop/syntax-check"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.6.12"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-42482"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-140"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-08-12T18:25:20Z",
    "nvd_published_at": "2024-08-12T16:15:16Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nImproper neutralisation of delimiters in the `pattern` input (specifically the command separator `;` and command substitution characters `(` and `)`) mean that arbitrary command injection is possible by modification of the input value used in a workflow. This has the potential for exposure or exfiltration of sensitive information from the workflow runner, such as might be achieved by sending environment variables to an external entity.\n\n### Patches\n\nAs of this writing, the issue has been patched for versions in the `v1.x.x` release series in release `v1.6.12` (also tagged as `v1.6` and `v1`). The latest available release `v2.0.0` also includes a corresponding patch (also tagged as `v2.0` and `v2`).\n\nUsers should upgrade to at least the patched version `v1.6.12` or preferably the latest available version `v2.0.0`. Workflows that use the action ref `v1` will automatically receive the patched version `v1.6.12` in future workflow runs.\n\nPatch summary:\n\n| Release series | Patched tags    | Patched commit hashes |\n|----------------|-------------------------|-------------|\n| `1.x.x`        | `v1.6.12`, `v1.6`, `v1` | `91e6817c48ad475542fe4e78139029b036a53b03`    |\n| `2.x.x`        | `v2.0.0`, `v2.0`, `v2`  | `c2cb11395e21119ff8d6e7ea050430ee7d6f49ca`    |\n\n### Workarounds\n\nIs it recommended that users update to the patched version `v1.6.12` or the latest release version `v2.0.0`, however remediation may be possible through careful control of workflows and the `pattern` input value used by this action.\n\n### References\n\n- [CWE-140: Improper Neutralization of Delimiters](https://cwe.mitre.org/data/definitions/140.html)\n- [CAPEC-15: Command Delimiters](https://capec.mitre.org/data/definitions/15.html)\n",
  "id": "GHSA-xj87-mqvh-88w2",
  "modified": "2024-08-12T19:16:59Z",
  "published": "2024-08-12T18:25:20Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/fish-shop/syntax-check/security/advisories/GHSA-xj87-mqvh-88w2"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-42482"
    },
    {
      "type": "WEB",
      "url": "https://github.com/fish-shop/syntax-check/commit/91e6817c48ad475542fe4e78139029b036a53b03"
    },
    {
      "type": "WEB",
      "url": "https://github.com/fish-shop/syntax-check/commit/c2cb11395e21119ff8d6e7ea050430ee7d6f49ca"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/fish-shop/syntax-check"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "fish-shop/syntax-check Improper Neutralization of Delimiters"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2024-42482 (GCVE-0-2024-42482)

FKIE_CVE-2024-42482

GHSA-XJ87-MQVH-88W2

Impact

Patches

Workarounds

References

Tags

Sightings

Nomenclature