VDB

GCVE-110-CLOUD-2023-0004

GCVE-110-CLOUD-2023-0004
Advisory Published
Vulnetix · Advisory published December 20, 2023
Azure Pipelines and GitHub Actions allow deployment of runners and agents using VM images sourced from a GitHub-managed repository (github.com/actions/runner-images). This repo was misconfigured to use self-hosted runners insecurely, in a way that could have allowed a malicious external contributor (i.e., anyone who had previously had at least one PR approved and merged in the repo) to poison the repository and achieve code execution on runners in the repo. This in turn could have theoretically allowed an attacker to modify the source code of the images, and thereby conduct a supply chain attack against Pipelines and Actions customers.

Affected Products

VendorProductVersionsPlatforms
GitHubAzure Pipelines, GitHub Actions
AzureAzure Pipelines, GitHub Actions
AzureCloud Services

Browse GCVE Records

73,443 records in the GCVE database · Updated July 18, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›