Two weeks after Google disclosed a security defect in GitHub, the Microsoft-owned site has resolved the problem
Two weeks after Google disclosed a security defect in GitHub, the Microsoft-owned site has resolved the problem.
GitHub's Actions support a feature known as workflow commands that acts as a communication channel between the Action runner and the executed action.
While Google described it as a 'high severity' software error, GitHub stated that it was a 'moderate security vulnerability'.
Google Project Zero usually discloses any defect it finds 90 day after reporting them and by November 2, GitHub had exceeded Google's one-off grace period of 14 days without having fixed the defect.
A day before the extended disclosure deadline, GitHub told Google it would not be disabling the vulnerable commands by November 2 and then requested an addition of 48 hours – not to fix the issue but to inform customers and determine a tough date at some point in the near future.
According to Wilhelm’s recommendation, GitHub finally got around to addressing the issue last week by disabling the feature's old runner commands, "set-env" and "add-path".
The fix was implemented on November 16 or two weeks after Wilhelm publicly presented the problem.
As Wilhelm noted in his software error report, the former version of Github's action runner command "random-env" was exciting from a security point of view because it could be utilized for defining arbitrary environment variables as part of a workflow step.
Was this article useful? If Yes, then do connect and follow us on Facebook, Twitter amd Linkedin to keep yourself updated with the latest Cyber Security news**