VDB

GCVE-110-CLOUD-2023-0049

GCVE-110-CLOUD-2023-0049
Advisory Published
Vulnetix · Advisory published March 8, 2023
A vulnerability in GitHub Actions allows bypassing workflow settings using commits from forked repositories (rather than commits of the main action repo). This "imposter commits" issue can potentially introduce untrusted code into CI/CD pipelines, posing a risk to the security of the software supply chain. The vulnerability stems from GitHub's handling of forked repositories and how commits are shared between forks and parent repositories. A partial solution to this was GitHub prohibiting partial commit references in workflows, however, no full solution exists currently.

Affected Products

VendorProductVersionsPlatforms
GitHubGitHub Actions
GitHubCloud Services

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›