CVE-2024-52587
CVSS V2 None
CVSS V3 None
Description
StepSecurity's Harden-Runner provides network egress filtering and runtime security for GitHub-hosted and self-hosted runners. Versions of step-security/harden-runner prior to v2.10.2 contain multiple command injection weaknesses via environment variables that could potentially be exploited under specific conditions. However, due to the current execution order of pre-steps in GitHub Actions and the placement of harden-runner as the first step in a job, the likelihood of exploitation is low as the Harden-Runner action reads the environment variable during the pre-step stage. There are no known exploits at this time. Version 2.10.2 contains a patch.
Overview
- CVE ID
- CVE-2024-52587
- Assigner
- GitHub_M
- Vulnerability Status
- PUBLISHED
- Published Version
- 2024-11-18T22:03:15.657Z
- Last Modified Date
- 2024-11-18T22:03:15.657Z
Weakness Enumerations
References
Sources
Source Name | Source URL |
---|---|
NIST | https://nvd.nist.gov/vuln/detail/CVE-2024-52587 |
MITRE | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-52587 |
History
Created | Old Value | New Value | Data Type | Notes |
---|---|---|---|---|
2024-11-19 13:36:01 | Added to TrackCVE |