"By exploiting this vulnerability, an attacker with an unprivileged GitHub account could exfiltrate secrets available to the workflow run and perform unauthorized operations on the target GitHub repository."
"The security flaw can be easily exploited, and illustrates the growing security risks as CI/CD pipelines play an increasingly central role in the software development field."
"Exploitation of the flaw was 'trivial,' Marot wrote. All it took was for an attacker to open a GitHub issue, which is open to any registered user."
"The hacker could inject malicious Python code into the issue description, with the GitHub workflow automatically starting up when the issue was created."
A vulnerability in a Microsoft GitHub repository enables attackers to exploit its CI/CD infrastructure, allowing unauthorized code execution and access to secrets. Researchers from Tenable highlighted that an attacker with an unprivileged GitHub account could exfiltrate secrets and perform unauthorized operations. The flaw is easily exploitable, as it allows any GitHub user to trigger remote code execution by opening a GitHub issue. This vulnerability poses significant risks to the software supply chain, especially given the repository's popularity and public access.
Read at DevOps.com
Unable to calculate read time
Collection
[
|
...
]