company logo

Product

Our Product

We are Reshaping the way Developers find and fix vulnerabilities before they get exploited.

Solutions

By Industry

BFSI

Healthcare

Education

IT & Telecom

Government

By Role

CISO

Application Security Engineer

DevsecOps Engineer

IT Manager

Resources

Resource Library

Get actionable insight straight from our threat Intel lab to keep you informed about the ever-changing Threat landscape.

Subscribe to Our Weekly Threat Digest

Company

Contact Us

Have queries, feedback or prospects? Get in touch and we shall be with you shortly.

loading..
loading..
loading..
Loading...

Github

Google

loading..
loading..
loading..

GitHub Repairs The Security Defects Identified By Google

Two weeks after Google disclosed a security defect in GitHub, the Microsoft-owned site has resolved the problem

23-Nov-2020
2 min read

Two weeks after Google disclosed a security defect in GitHub, the Microsoft-owned site has resolved the problem.

GitHub's Actions support a feature known as workflow commands that acts as a communication channel between the Action runner and the executed action.

While Google described it as a 'high severity' software error, GitHub stated that it was a 'moderate security vulnerability'.

Google Project Zero usually discloses any defect it finds 90 day after reporting them and by November 2, GitHub had exceeded Google's one-off grace period of 14 days without having fixed the defect.

A day before the extended disclosure deadline, GitHub told Google it would not be disabling the vulnerable commands by November 2 and then requested an addition of 48 hours – not to fix the issue but to inform customers and determine a tough date at some point in the near future.

According to Wilhelm’s recommendation, GitHub finally got around to addressing the issue last week by disabling the feature's old runner commands, "set-env" and "add-path".

The fix was implemented on November 16 or two weeks after Wilhelm publicly presented the problem.

As Wilhelm noted in his software error report, the former version of Github's action runner command "random-env" was exciting from a security point of view because it could be utilized for defining arbitrary environment variables as part of a workflow step.

Was this article useful? If Yes, then do connect and follow us on Facebook, Twitter amd Linkedin to keep yourself updated with the latest Cyber Security news**