← Volver a CVEs
CVE-2024-21623
CRITICAL9.8
Descripcion
OTCLient is an alternative tibia client for otserv. Prior to commit db560de0b56476c87a2f967466407939196dd254, the /mehah/otclient "`Analysis - SonarCloud`" workflow is vulnerable to an expression injection in Actions, allowing an attacker to run commands remotely on the runner, leak secrets, and alter the repository using this workflow. Commit db560de0b56476c87a2f967466407939196dd254 contains a fix for this issue.
Detalles CVE
Puntuacion CVSS v3.19.8
SeveridadCRITICAL
Vector CVSSCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Vector de ataqueNETWORK
ComplejidadLOW
Privilegios requeridosNONE
Interaccion usuarioNONE
Publicado1/2/2024
Ultima modificacion11/21/2024
Fuentenvd
Avistamientos honeypot0
Productos afectados
mehah:otclient
Debilidades (CWE)
CWE-74
Referencias
https://github.com/mehah/otclient/blob/72744edc3b9913b920e0fd12e929604f682fda75/.github/workflows/analysis-sonarcloud.yml#L91-L104(security-advisories@github.com)
https://github.com/mehah/otclient/commit/db560de0b56476c87a2f967466407939196dd254(security-advisories@github.com)
https://github.com/mehah/otclient/security/advisories/GHSA-q6gr-wc79-v589(security-advisories@github.com)
https://securitylab.github.com/research/github-actions-preventing-pwn-requests/(security-advisories@github.com)
https://securitylab.github.com/research/github-actions-untrusted-input/(security-advisories@github.com)
https://github.com/mehah/otclient/blob/72744edc3b9913b920e0fd12e929604f682fda75/.github/workflows/analysis-sonarcloud.yml#L91-L104(af854a3a-2127-422b-91ae-364da2661108)
https://github.com/mehah/otclient/commit/db560de0b56476c87a2f967466407939196dd254(af854a3a-2127-422b-91ae-364da2661108)
https://github.com/mehah/otclient/security/advisories/GHSA-q6gr-wc79-v589(af854a3a-2127-422b-91ae-364da2661108)
https://securitylab.github.com/research/github-actions-preventing-pwn-requests/(af854a3a-2127-422b-91ae-364da2661108)
https://securitylab.github.com/research/github-actions-untrusted-input/(af854a3a-2127-422b-91ae-364da2661108)
Correlaciones IOC
Sin correlaciones registradas
This product uses data from the NVD API but is not endorsed or certified by the NVD.