GHSA-cxww-7g56-2vh6

Details

Impact

Versions of actions/download-artifact before 4.1.3 are vulnerable to arbitrary file write when downloading and extracting a specifically crafted artifact that contains path traversal filenames.

Patches

Upgrade to version 4.1.3 or higher. Alternatively use 'v4' tag which points to the latest and secure version.

References

https://snyk.io/research/zip-slip-vulnerability
https://github.com/actions/download-artifact/releases/tag/v4.1.3
https://github.com/actions/download-artifact/pull/299

CVE

CVE-2024-42471

Credits

Justin Taft from Google

Affected Packages

GitHub Actionsactions/download-artifact

Fixed in:

4.1.3

References

PACKAGEhttps://github.com/actions/download-artifact WEBhttps://github.com/actions/download-artifact/releases/tag/v4.1.3 WEBhttps://github.com/actions/download-artifact/security/advisories/GHSA-cxww-7g56-2vh6 ADVISORYhttps://github.com/advisories/GHSA-6q32-hq47-5qq3 ADVISORYhttps://github.com/advisories/GHSA-cxww-7g56-2vh6 WEBhttps://snyk.io/research/zip-slip-vulnerability

GHSA-cxww-7g56-2vh6

Details

Impact

Patches

References

CVE

Credits

Affected Packages

References

CVSS Analysis

Ecosystems

Timeline