Friday, January 15, 19:40
Home security GitHub: Fixed a serious vulnerability discovered by Google

GitHub: Fixed a serious vulnerability discovered by Google

The GitHub finally fixed one serious vulnerability reported by the team security of Google, Project Zero. The researchers updated GitHub three months ago.

GitHub vulnerability

Vulnerability affected operation GitHub Actions. According to Google researcher Felix Wilhelm, vulnerability made it tool Actions vulnerable to “Injection attacks".

Google had said it was a very serious vulnerability, but GitHub did not immediately respond as it claimed it was a "moderate security vulnerability".

The Google Project Zero team usually discloses the errors which it finds, 90 days after their report to the competent. The 90-day period has passed and GitHub has not yet fixed the vulnerability. The researchers Google gave him another 14 days but again nothing happened. So they decided to reveal the vulnerability (in early November).

A day before the scheduled revelation (after an extension), GitHub told Google it would not disable Actions' vulnerable workflow commands until November 2 and requested an additional 48 hours. However, these extra hours would be for inform them customers for a future resolution of the issue and not for the correction of the vulnerability.

Google

The Google research team decided to reveal the vulnerability and not give more time, after 104 days had already passed since the initial report on GitHub.

GitHub finally fixed the vulnerability last week, disabling the old Actions runner commands, "set-env" and "add-path", as suggested by the researcher Wilhelm.

The correction was released on 16 November, ie two weeks after its revelation vulnerability from Google.

As Wilhelm said, Action was vulnerable to injection attacks, because of vulnerability that could eventually lead to executing malicious code.

Now that GitHub has disabled the two vulnerable commands, Wilhelm has updated his report and confirmed that the issue has been resolved.

Source: ZDNet

LEAVE ANSWER

Please enter your comment!
Please enter your name here

Digital Fortress
Digital Fortresshttps://www.secnews.gr
Pursue Your Dreams & Live!

LIVE NEWS

Android: How to see which apps have access to your site

It's no secret that smartphone apps have access to many permissions - if you let them. It is important to make sure ...

Canon lets you take pictures from space

Instead of releasing new cameras for CES 2021, Canon is doing something different: It lets you take pictures from space ....

Wikipedia vs Big tech: Who fights misinformation?

As Election Day turned into US Election Week, Facebook, Twitter and YouTube were trying to prevent ...
00:02:36

Tesla: It is called to recall cars due to problematic screens

The touch screen in some Tesla cars seems to have a problem, which could ...

Ransomware is responsible for half of all data breaches in hospitals

Almost half of the data breaches committed in hospitals and the wider healthcare sector are due to ransomware attacks, ...

Astronomers have just found the oldest oversized black hole

A quasar was discovered in a dark corner of space - over 13,03 billion light-years away - and contains a ...

What are the best and most affordable 5G phones for 2021

The market will soon be flooded with mid-range 5G devices. Everything that happens will be really exciting: you will be able to ...

Verified Twitter accounts in a cryptocurrency scam with the name of Elon Musk violated!

Lately, hackers have been violating verified Twitter accounts in a cryptocurrency giveaway scam, in which the name of the CEO is used ...

Classiscam: Fraudsters "fake" brands and deceive users of European markets!

Dozens of criminal gangs publish fake ads in popular online markets, to attract unsuspecting users to "fraudulent" commercial sites or phishing ...

iOS 14.4: Displays a notification for repairs with non-genuine cameras

Starting with the iPhone 11, Apple has added a notification to iOS that tells the user when the device has a ...