Adept GITHUB_TOKEN Exposure Vulnerability in Workflow Artifact Upload
Vulnerability
A vulnerability exists in the Adept programming language's GitHub repository, specifically in the remoteBuild.yml workflow file of version 2.7. This issue arises because the workflow uploads a mac-standalone artifact that includes the .git/config file, which contains the GITHUB_TOKEN. This token can be extracted and used with the GitHub API to push malicious code or alter release commits in the Adept repository. The vulnerability has been addressed in version 2.8.
Impact
Exploitation of this vulnerability allows for unauthorized use of the GITHUB_TOKEN, enabling an attacker to inject malicious code into the repository or manipulate release commits. This could have serious consequences for any users relying on this repository.
Reproduction
To reproduce this vulnerability, monitor for executions of the remoteBuild.yml workflow. Once a workflow run is detected, wait for the mac-standalone artifact to be uploaded. This artifact will contain the GITHUB_TOKEN, which can be extracted and used with the GitHub API to push a backdoored commit to the repository or to update release tags to point to the compromised commit.
Remediation
Users should update to Adept version 2.8, where this vulnerability has been patched.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.