Canonical Get-Workflow-Version-Action GITHUB_TOKEN Partial Exposure Vulnerability

A vulnerability exists in the Canonical Get-Workflow-Version-Action GitHub composite action, specifically in versions prior to 1.0.1. This action retrieves the commit SHA associated with a reusable workflow in GitHub Actions. The vulnerability arises when the action fails, as the exception output may inadvertently include a partial GITHUB_TOKEN. While GitHub automatically redacts the full token from the logs, a truncated version can be exposed in plaintext. This issue affects anyone with read access to the repository, and for public repositories, the logs are accessible to everyone. Although the GITHUB_TOKEN is revoked at the end of the job, there is a brief window of opportunity for exploitation, particularly if 'continue-on-error' is used or if certain status check functions are applied in the workflow.

Impact

The vulnerability leads to a partial leak of the GITHUB_TOKEN, which could be exploited before the token is revoked at the end of the job. In a sophisticated attack, this could allow unauthorized actions on behalf of the user, depending on the permissions of the leaked token.

Remediation

Users of the Canonical Get-Workflow-Version-Action should update to version 1.0.1. If a GITHUB_TOKEN was leaked while using version 1.0.0, it should have been revoked automatically, but users should be aware of the potential for exploitation if the token was used before it was revoked.