← Retour aux CVEs
CVE-2024-21623
CRITICAL9.8
Description
OTCLient is an alternative tibia client for otserv. Prior to commit db560de0b56476c87a2f967466407939196dd254, the /mehah/otclient "`Analysis - SonarCloud`" workflow is vulnerable to an expression injection in Actions, allowing an attacker to run commands remotely on the runner, leak secrets, and alter the repository using this workflow. Commit db560de0b56476c87a2f967466407939196dd254 contains a fix for this issue.
Details CVE
Score CVSS v3.19.8
SeveriteCRITICAL
Vecteur CVSSCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Vecteur d'attaqueNETWORK
ComplexiteLOW
Privileges requisNONE
Interaction utilisateurNONE
Publie1/2/2024
Derniere modification11/21/2024
Sourcenvd
Observations honeypot0
Produits affectes
mehah:otclient
Faiblesses (CWE)
CWE-74
References
https://github.com/mehah/otclient/blob/72744edc3b9913b920e0fd12e929604f682fda75/.github/workflows/analysis-sonarcloud.yml#L91-L104(security-advisories@github.com)
https://github.com/mehah/otclient/commit/db560de0b56476c87a2f967466407939196dd254(security-advisories@github.com)
https://github.com/mehah/otclient/security/advisories/GHSA-q6gr-wc79-v589(security-advisories@github.com)
https://securitylab.github.com/research/github-actions-preventing-pwn-requests/(security-advisories@github.com)
https://securitylab.github.com/research/github-actions-untrusted-input/(security-advisories@github.com)
https://github.com/mehah/otclient/blob/72744edc3b9913b920e0fd12e929604f682fda75/.github/workflows/analysis-sonarcloud.yml#L91-L104(af854a3a-2127-422b-91ae-364da2661108)
https://github.com/mehah/otclient/commit/db560de0b56476c87a2f967466407939196dd254(af854a3a-2127-422b-91ae-364da2661108)
https://github.com/mehah/otclient/security/advisories/GHSA-q6gr-wc79-v589(af854a3a-2127-422b-91ae-364da2661108)
https://securitylab.github.com/research/github-actions-preventing-pwn-requests/(af854a3a-2127-422b-91ae-364da2661108)
https://securitylab.github.com/research/github-actions-untrusted-input/(af854a3a-2127-422b-91ae-364da2661108)
Correlations IOC
Aucune correlation enregistree
This product uses data from the NVD API but is not endorsed or certified by the NVD.