Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS01eHI2LXhod3ctMzNtNM4ABBvE
Artifact poisoning vulnerability in action-download-artifact v5 and earlier
Summary
In versions of dawidd6/action-download-artifact
before v6, a repository's forks were also searched by default when attempting to find matching artifacts. This could be exploited by an unprivileged attacker to introduce compromised artifacts (such as malicious executables) into a privileged workflow context, as creating a fork requires no privileges.
Users should immediately upgrade to v6 or newer, which changes the default behavior to avoid searching forks for matching artifacts. Users who cannot upgrade should explicitly set allow_forks: false
to disable searching forks for artifacts.
Details
GitHub's artifact storage for workflows does not natively distinguish between artifacts created by a repository and artifacts created by forks of that repository. As a result, attempting to retrieve the "latest" artifact for a workflow run can return artifacts produced by a fork, rather than its upstream.
Because any GitHub user can create a fork of a public repository, this allows for artifact poisoning in the following scenarios (as well as potentially others):
- Repository
alice/foo
runsbuild.yml
, producingbuild.exe
- Repository
alice/foo
runspublish.yml
, which usesaction-download-artifact@v5
to retrieve the latestbuild.exe
frombuild.yml
To compromise publish.yml
in this scenario, Mallory forks alice/foo
to mallory/foo
, and then modifies build.yml
to produce a compromised build.exe
. Mallory can then repeatedly trigger their copy of build.yml
to ensure that their compromised build.exe
is always the latest artifact, meaning that Alice's publish.yml
will retrieve it.
Additional details on this vulnerability can be found in this blog post from 2022:
Impact
This vulnerability impacts all repositories on GitHub that use action-download-artifacts@v5
or older and do not disable allow_forks: true
, which is the default.
If a repository is affected, the severity ranges from downstream contamination (such as publishing attacker-controlled artifacts) to direct workflow compromise (if the retrieved artifact is then executed in a privileged workflow context, such as push
or pull_request_target
).
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS01eHI2LXhod3ctMzNtNM4ABBvE
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: about 1 month ago
Updated: about 1 month ago
Identifiers: GHSA-5xr6-xhww-33m4
References:
- https://github.com/dawidd6/action-download-artifact/security/advisories/GHSA-5xr6-xhww-33m4
- https://github.com/dawidd6/action-download-artifact/commit/bf251b5aa9c2f7eeb574a96ee720e24f801b7c11
- https://www.legitsecurity.com/blog/artifact-poisoning-vulnerability-discovered-in-rust
- https://github.com/advisories/GHSA-5xr6-xhww-33m4
Blast Radius: 1.0
Affected Packages
actions:dawidd6/action-download-artifact
Affected Version Ranges: < 6Fixed in: 6