← Zuruck zu CVEs
CVE-2024-21623
CRITICAL9.8
Beschreibung
OTCLient is an alternative tibia client for otserv. Prior to commit db560de0b56476c87a2f967466407939196dd254, the /mehah/otclient "`Analysis - SonarCloud`" workflow is vulnerable to an expression injection in Actions, allowing an attacker to run commands remotely on the runner, leak secrets, and alter the repository using this workflow. Commit db560de0b56476c87a2f967466407939196dd254 contains a fix for this issue.
CVE Details
CVSS v3.1 Bewertung9.8
SchweregradCRITICAL
CVSS VektorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AngriffsvektorNETWORK
KomplexitatLOW
Erforderliche PrivilegienNONE
BenutzerinteraktionNONE
Veroffentlicht1/2/2024
Zuletzt geandert11/21/2024
Quellenvd
Honeypot-Sichtungen0
Betroffene Produkte
mehah:otclient
Schwachen (CWE)
CWE-74
Referenzen
https://github.com/mehah/otclient/blob/72744edc3b9913b920e0fd12e929604f682fda75/.github/workflows/analysis-sonarcloud.yml#L91-L104(security-advisories@github.com)
https://github.com/mehah/otclient/commit/db560de0b56476c87a2f967466407939196dd254(security-advisories@github.com)
https://github.com/mehah/otclient/security/advisories/GHSA-q6gr-wc79-v589(security-advisories@github.com)
https://securitylab.github.com/research/github-actions-preventing-pwn-requests/(security-advisories@github.com)
https://securitylab.github.com/research/github-actions-untrusted-input/(security-advisories@github.com)
https://github.com/mehah/otclient/blob/72744edc3b9913b920e0fd12e929604f682fda75/.github/workflows/analysis-sonarcloud.yml#L91-L104(af854a3a-2127-422b-91ae-364da2661108)
https://github.com/mehah/otclient/commit/db560de0b56476c87a2f967466407939196dd254(af854a3a-2127-422b-91ae-364da2661108)
https://github.com/mehah/otclient/security/advisories/GHSA-q6gr-wc79-v589(af854a3a-2127-422b-91ae-364da2661108)
https://securitylab.github.com/research/github-actions-preventing-pwn-requests/(af854a3a-2127-422b-91ae-364da2661108)
https://securitylab.github.com/research/github-actions-untrusted-input/(af854a3a-2127-422b-91ae-364da2661108)
IOC Korrelationen
Keine Korrelationen erfasst
This product uses data from the NVD API but is not endorsed or certified by the NVD.