critical
9.9
CWE
78
Advisory Published
Updated

CVE-2022-39321: GitHub Actions Runner vulnerable to Docker Command Escaping

First published: Tue Oct 25 2022(Updated: )

GitHub Actions Runner is the application that runs a job from a GitHub Actions workflow. The actions runner invokes the docker cli directly in order to run job containers, service containers, or container actions. A bug in the logic for how the environment is encoded into these docker commands was discovered in versions prior to 2.296.2, 2.293.1, 2.289.4, 2.285.2, and 2.283.4 that allows an input to escape the environment variable and modify that docker command invocation directly. Jobs that use container actions, job containers, or service containers alongside untrusted user inputs in environment variables may be vulnerable. The Actions Runner has been patched, both on `github.com` and hotfixes for GHES and GHAE customers in versions 2.296.2, 2.293.1, 2.289.4, 2.285.2, and 2.283.4. GHES and GHAE customers may want to patch their instance in order to have their runners automatically upgrade to these new runner versions. As a workaround, users may consider removing any container actions, job containers, or service containers from their jobs until they are able to upgrade their runner versions.

Credit: security-advisories@github.com

Affected SoftwareAffected VersionHow to fix
Github Runner<2.283.4
Github Runner>=2.284.0<2.285.2
Github Runner>=2.286.0<2.289.4
Github Runner>=2.290.0<2.293.1
Github Runner>=2.294.0<2.296.2

Remedy

https://github.com/actions/runner/pull/2107

Remedy

https://github.com/actions/runner/pull/2108

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

Reference Links

Frequently Asked Questions

  • What is CVE-2022-39321?

    CVE-2022-39321 is a vulnerability in GitHub Actions Runner that allows for unauthorized remote code execution.

  • What is the severity of CVE-2022-39321?

    CVE-2022-39321 has a severity rating of 9.9, which is classified as critical.

  • How does CVE-2022-39321 affect GitHub Actions Runner?

    CVE-2022-39321 affects GitHub Actions Runner versions between 2.283.4 and 2.296.2.

  • How can I fix CVE-2022-39321?

    To fix CVE-2022-39321, you should update your GitHub Actions Runner to a version that is not affected by the vulnerability.

  • Where can I find more information about CVE-2022-39321?

    You can find more information about CVE-2022-39321 in the GitHub Security Advisory: GHSA-2c6m-6gqh-6qg3.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203