Serverless-DNS Command Injection Vulnerability in GitHub Action
Vulnerability
A command injection vulnerability has been identified in the serverless-dns GitHub Action workflow file pr.yml, affecting versions through and including 0.1.30. The vulnerability arises from the unsafe interpolation of untrusted input, specifically the github.event.pull_request.head.repo.clone_url and github.head_ref, into a command executed by the runner. This issue is exacerbated by the use of the pull_request_target trigger, which grants permissive permissions by default. An unauthorized attacker could exploit this vulnerability to push arbitrary data to the repository, potentially leading to the execution of malicious code when serverless-dns is run.
Impact
Exploitation of this vulnerability allows an unauthorized attacker to push arbitrary data to the repository, with the potential consequence of executing the attacker's code when serverless-dns is executed.
Remediation
Users can update to serverless-dns version 0.1.31 or later, where this vulnerability has been fixed.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.