Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

build(github): fix @actions/download-artifact CVE-2024-42471 #3512

Conversation

petermetz
Copy link
Contributor

GHSA-cxww-7g56-2vh6

Address the following problem by upgrading to the latest version:
@actions/download-artifact has an Arbitrary File Write via artifact extraction

Affected versions

= 4.0.0, < 4.1.7

Patched versions
4.1.7

Severity
High
7.3 / 10

GHSA ID
GHSA-cxww-7g56-2vh6

References

Signed-off-by: Peter Somogyvari peter.somogyvari@accenture.com

Pull Request Requirements

  • Rebased onto upstream/main branch and squashed into single commit to help maintainers review it more efficient and to avoid spaghetti git commit graphs that obfuscate which commit did exactly what change, when and, why.
  • Have git sign off at the end of commit message to avoid being marked red. You can add -s flag when using git commit command. You may refer to this link for more information.
  • Follow the Commit Linting specification. You may refer to this link for more information.

Character Limit

  • Pull Request Title and Commit Subject must not exceed 72 characters (including spaces and special characters).
  • Commit Message per line must not exceed 80 characters (including spaces and special characters).

A Must Read for Beginners
For rebasing and squashing, here's a must read guide for beginners.

GHSA-cxww-7g56-2vh6

Address the following problem by upgrading to the latest version:
@actions/download-artifact has an Arbitrary File Write via artifact extraction

Affected versions
>= 4.0.0, < 4.1.7

Patched versions
4.1.7

Severity
High
7.3 / 10

GHSA ID
GHSA-cxww-7g56-2vh6

References
- GHSA-cxww-7g56-2vh6
- https://github.com/actions/download-artifact/releases/tag/v4.1.7
- GHSA-6q32-hq47-5qq3
- https://snyk.io/research/zip-slip-vulnerability

Signed-off-by: Peter Somogyvari <peter.somogyvari@accenture.com>
@petermetz petermetz force-pushed the build-fix-cve-2024-42471-artifacts-download-action branch from 904fa16 to 55266b7 Compare September 9, 2024 16:27
@petermetz petermetz merged commit 94dd264 into hyperledger-cacti:main Sep 9, 2024
145 of 148 checks passed
@petermetz petermetz deleted the build-fix-cve-2024-42471-artifacts-download-action branch September 9, 2024 16:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants