nvd-json-data-feeds/CVE-2021/CVE-2021-327xx/CVE-2021-32724.json

{
  "id": "CVE-2021-32724",
  "sourceIdentifier": "security-advisories@github.com",
  "published": "2021-09-09T21:15:07.250",
  "lastModified": "2021-09-27T14:21:55.153",
  "vulnStatus": "Analyzed",
  "descriptions": [
    {
      "lang": "en",
      "value": "check-spelling is a github action which provides CI spell checking. In affected versions and for a repository with the [check-spelling action](https://github.com/marketplace/actions/check-spelling) enabled that triggers on `pull_request_target` (or `schedule`), an attacker can send a crafted Pull Request that causes a `GITHUB_TOKEN` to be exposed. With the `GITHUB_TOKEN`, it's possible to push commits to the repository bypassing standard approval processes. Commits to the repository could then steal any/all secrets available to the repository. As a workaround users may can either: [Disable the workflow](https://docs.github.com/en/actions/managing-workflow-runs/disabling-and-enabling-a-workflow) until you've fixed all branches or Set repository to [Allow specific actions](https://docs.github.com/en/github/administering-a-repository/managing-repository-settings/disabling-or-limiting-github-actions-for-a-repository#allowing-specific-actions-to-run). check-spelling isn't a verified creator and it certainly won't be anytime soon. You could then explicitly add other actions that your repository uses. Set repository [Workflow permissions](https://docs.github.com/en/github/administering-a-repository/managing-repository-settings/disabling-or-limiting-github-actions-for-a-repository#setting-the-permissions-of-the-github_token-for-your-repository) to `Read repository contents permission`. Workflows using `check-spelling/check-spelling@main` will get the fix automatically. Workflows using a pinned sha or tagged version will need to change the affected workflows for all repository branches to the latest version. Users can verify who and which Pull Requests have been running the action by looking up the spelling.yml action in the Actions tab of their repositories, e.g., https://github.com/check-spelling/check-spelling/actions/workflows/spelling.yml - you can filter PRs by adding ?query=event%3Apull_request_target, e.g., https://github.com/check-spelling/check-spelling/actions/workflows/spelling.yml?query=event%3Apull_request_target."
    },
    {
      "lang": "es",
      "value": "check-spelling es una acci\u00f3n de github que proporciona una comprobaci\u00f3n ortogr\u00e1fica de CI. En versiones afectadas  y para un repositorio con la acci\u00f3n [check-spelling](https://github.com/marketplace/actions/check-spelling) habilitada que desencadena en \"pull_request_target\" (o \"schedule\"), un atacante puede enviar un Pull Request dise\u00f1ado que cause que un \"GITHUB_TOKEN\" sea expuesto. Con el \"GITHUB_TOKEN\", es posible enviar confirmaciones al commit omitiendo los procesos de aprobaci\u00f3n est\u00e1ndar. Los commits al repositorio podr\u00edan entonces robar cualquier/todos los secretos disponibles en el repositorio. Como soluci\u00f3n, los usuarios pueden: [Desactivar el flujo de trabajo](https://docs.github.com/en/actions/managing-workflow-runs/disabling-and-enabling-a-workflow) hasta que haya corregido todas las ramas o Configurar el repositorio para [Permitir acciones espec\u00edficas](https://docs.github.com/en/github/administering-a-repository/managing-repository-settings/disabling-or-limiting-github-actions-for-a-repository#allowing-specific-actions-to-run). la comprobaci\u00f3n de la ortograf\u00eda no es un creador verificado y ciertamente no lo ser\u00e1 pronto. Entonces podr\u00eda a\u00f1adir expl\u00edcitamente otras acciones que su repositorio usa. Ajuste el repositorio [Permisos de flujo de trabajo](https://docs.github.com/en/github/administering-a-repository/managing-repository-settings/disabling-or-limiting-github-actions-for-a-repository#setting-the-permissions-of-the-github_token-for-your-repository) a \"Read repository contents permission\". Los flujos de trabajo que usen \"check-spelling/check-spelling@main\" obtendr\u00e1n la correcci\u00f3n autom\u00e1ticamente. Los flujos de trabajo que usen una versi\u00f3n con anclaje o etiquetada tendr\u00e1n que cambiar los flujos de trabajo afectados para todas las ramas del repositorio a la \u00faltima versi\u00f3n. Los usuarios pueden verificar qui\u00e9n y qu\u00e9 Pull Requests han ejecutado la acci\u00f3n buscando la acci\u00f3n spelling.yml en la pesta\u00f1a Acciones de sus repositorios, por ejemplo, https://github.com/check-spelling/check-spelling/actions/workflows/spelling.yml - puede filtrar los PRs al a\u00f1adir ?query=event%3Apull_request_target, por ejemplo, https://github.com/check-spelling/check-spelling/actions/workflows/spelling.yml?query=event%3Apull_request_target"
    }
  ],
  "metrics": {
    "cvssMetricV31": [
      {
        "source": "security-advisories@github.com",
        "type": "Primary",
        "cvssData": {
          "version": "3.1",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
          "attackVector": "NETWORK",
          "attackComplexity": "LOW",
          "privilegesRequired": "LOW",
          "userInteraction": "NONE",
          "scope": "CHANGED",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "availabilityImpact": "HIGH",
          "baseScore": 9.9,
          "baseSeverity": "CRITICAL"
        },
        "exploitabilityScore": 3.1,
        "impactScore": 6.0
      }
    ],
    "cvssMetricV2": [
      {
        "source": "nvd@nist.gov",
        "type": "Primary",
        "cvssData": {
          "version": "2.0",
          "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
          "accessVector": "NETWORK",
          "accessComplexity": "MEDIUM",
          "authentication": "NONE",
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "PARTIAL",
          "availabilityImpact": "PARTIAL",
          "baseScore": 6.8
        },
        "baseSeverity": "MEDIUM",
        "exploitabilityScore": 8.6,
        "impactScore": 6.4,
        "acInsufInfo": false,
        "obtainAllPrivilege": false,
        "obtainUserPrivilege": false,
        "obtainOtherPrivilege": false,
        "userInteractionRequired": false
      }
    ]
  },
  "weaknesses": [
    {
      "source": "security-advisories@github.com",
      "type": "Primary",
      "description": [
        {
          "lang": "en",
          "value": "CWE-532"
        }
      ]
    }
  ],
  "configurations": [
    {
      "nodes": [
        {
          "operator": "OR",
          "negate": false,
          "cpeMatch": [
            {
              "vulnerable": true,
              "criteria": "cpe:2.3:a:check-spelling:check-spelling:*:*:*:*:*:*:*:*",
              "versionEndExcluding": "0.0.19",
              "matchCriteriaId": "A4A73141-03F7-4AAB-A7E3-6D2331D73257"
            }
          ]
        }
      ]
    }
  ],
  "references": [
    {
      "url": "https://github.com/check-spelling/check-spelling/commit/436362fc6b588d9d561cbdb575260ca593c8dc56",
      "source": "security-advisories@github.com",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ]
    },
    {
      "url": "https://github.com/check-spelling/check-spelling/security/advisories/GHSA-g86g-chm8-7r2p",
      "source": "security-advisories@github.com",
      "tags": [
        "Mitigation",
        "Third Party Advisory"
      ]
    }
  ]
}