CVE-2024-42482

{"id": "CVE-2024-42482", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.5, "exploitabilityScore": 2.2}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.5, "exploitabilityScore": 3.9}]}, "published": "2024-08-12T16:15:16.213", "references": [{"url": "https://github.com/fish-shop/syntax-check/commit/91e6817c48ad475542fe4e78139029b036a53b03", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/fish-shop/syntax-check/commit/c2cb11395e21119ff8d6e7ea050430ee7d6f49ca", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/fish-shop/syntax-check/security/advisories/GHSA-xj87-mqvh-88w2", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-140"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-Other"}]}], "descriptions": [{"lang": "en", "value": "fish-shop/syntax-check is a GitHub action for syntax checking fish shell files. Improper neutralization of delimiters in the `pattern` input (specifically the command separator `;` and command substitution characters `(` and `)`) mean that arbitrary command injection is possible by modification of the input value used in a workflow. This has the potential for exposure or exfiltration of sensitive information from the workflow runner, such as might be achieved by sending environment variables to an external entity. It is recommended that users update to the patched version `v1.6.12` or the latest release version `v2.0.0`, however remediation may be possible through careful control of workflows and the `pattern` input value used by this action."}, {"lang": "es", "value": "fish-shop/syntax-check es una acci\u00f3n de GitHub para verificar la sintaxis de fish shell files. La neutralizaci\u00f3n inadecuada de los delimitadores en la entrada `patr\u00f3n` (espec\u00edficamente el separador de comando `;` y los caracteres de sustituci\u00f3n de comando `(` y `)`) significa que la inyecci\u00f3n de comando arbitraria es posible mediante la modificaci\u00f3n del valor de entrada utilizado en un flujo de trabajo. Esto tiene el potencial de exponer o exfiltrar informaci\u00f3n confidencial del ejecutor del flujo de trabajo, como podr\u00eda lograrse enviando variables de entorno a una entidad externa. Se recomienda que los usuarios actualicen a la versi\u00f3n parcheada `v1.6.12` o a la \u00faltima versi\u00f3n `v2.0.0`; sin embargo, es posible realizar una correcci\u00f3n mediante un control cuidadoso de los flujos de trabajo y el valor de entrada del `patr\u00f3n` utilizado por esta acci\u00f3n."}], "lastModified": "2024-09-17T12:20:58.323", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:fish-shop:syntax-check:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "42DC3CBC-F85C-4E09-B5FA-921C4D3399CF", "versionEndExcluding": "1.6.12"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}