Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1jeHd3LTdnNTYtMnZoNs4AA_QJ
@actions/download-artifact has an Arbitrary File Write via artifact extraction
Impact
Versions of actions/download-artifact before 4.1.7 are vulnerable to arbitrary file write when downloading and extracting a specifically crafted artifact that contains path traversal filenames.
Patches
Upgrade to version 4.1.7 or higher. Alternatively use 'v4' tag which points to the latest and secure version.
References
- https://snyk.io/research/zip-slip-vulnerability
- https://github.com/actions/download-artifact/releases/tag/v4.1.7
CVE
CVE-2024-42471
Credits
Justin Taft from Google
Permalink: https://github.com/advisories/GHSA-cxww-7g56-2vh6JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1jeHd3LTdnNTYtMnZoNs4AA_QJ
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 2 months ago
Updated: 2 months ago
CVSS Score: 7.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
Identifiers: GHSA-cxww-7g56-2vh6
References:
- https://github.com/actions/download-artifact/security/advisories/GHSA-cxww-7g56-2vh6
- https://github.com/actions/download-artifact/releases/tag/v4.1.7
- https://github.com/advisories/GHSA-6q32-hq47-5qq3
- https://snyk.io/research/zip-slip-vulnerability
- https://github.com/advisories/GHSA-cxww-7g56-2vh6
Blast Radius: 1.0
Affected Packages
actions:actions/download-artifact
Affected Version Ranges: >= 4.0.0, < 4.1.7Fixed in: 4.1.7