CVE-2024-52587

CVSS V2 None CVSS V3 None
Description
StepSecurity's Harden-Runner provides network egress filtering and runtime security for GitHub-hosted and self-hosted runners. Versions of step-security/harden-runner prior to v2.10.2 contain multiple command injection weaknesses via environment variables that could potentially be exploited under specific conditions. However, due to the current execution order of pre-steps in GitHub Actions and the placement of harden-runner as the first step in a job, the likelihood of exploitation is low as the Harden-Runner action reads the environment variable during the pre-step stage. There are no known exploits at this time. Version 2.10.2 contains a patch.
Overview
  • CVE ID
  • CVE-2024-52587
  • Assigner
  • GitHub_M
  • Vulnerability Status
  • PUBLISHED
  • Published Version
  • 2024-11-18T22:03:15.657Z
  • Last Modified Date
  • 2024-11-18T22:03:15.657Z
History
Created Old Value New Value Data Type Notes
2024-11-19 13:36:01 Added to TrackCVE