CVE-2024-3924

CVSS V2 None CVSS V3 None

Description

A code injection vulnerability exists in the huggingface/text-generation-inference repository, specifically within the `autodocs.yml` workflow file. The vulnerability arises from the insecure handling of the `github.head_ref` user input, which is used to dynamically construct a command for installing a software package. An attacker can exploit this by forking the repository, creating a branch with a malicious payload as the name, and then opening a pull request to the base repository. Successful exploitation could lead to arbitrary code execution within the context of the GitHub Actions runner. This issue affects versions up to and including v2.0.0 and was fixed in version 2.0.0.

Overview

CVE ID
CVE-2024-3924

Assigner
@huntr_ai

Vulnerability Status
PUBLISHED

Published Version
2024-05-30T14:59:43.416Z

Last Modified Date
2024-06-04T17:31:18.866Z

Weakness Enumerations

CWE	URL
CWE-94	http://cwe.mitre.org/data/definitions/94.html

References

Reference URL	Reference Tags
https://huntr.com/bounties/8af92fc2-0103-4d29-bb28-c3893154c422
https://github.com/huggingface/text-generation-inference/commit/88702d876383f7200eccf67e28ba00500dc804bb

Sources

Source Name	Source URL
NIST	https://nvd.nist.gov/vuln/detail/CVE-2024-3924
MITRE	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-3924

History

Created	Old Value	New Value	Data Type	Notes
2024-06-23 23:11:48				Added to TrackCVE