CVE-2024-41127 - Vulnerability Details

Vendors	Products
Monkeytype	Monkeytype

Link	Providers
https://github.com/monkeytypegame/monkeytype/commit/29627fd0d5f152e2da59671987090ea0a5c29874
https://github.com/monkeytypegame/monkeytype/security/advisories/GHSA-wcjf-5464-4wq9
https://securitylab.github.com/advisories/GHSL-2024-167_monkeytype

Type	Values Removed	Values Added
Weaknesses		CWE-94

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-41127", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-07-15T15:53:28.323Z", "datePublished": "2024-08-02T14:46:21.941Z", "dateUpdated": "2024-08-02T16:52:08.440Z"}, "containers": {"cna": {"title": "Monkeytype is vulnerable to Poisoned Pipeline Execution through Code Injection in its `ci-failure-comment.yml` GitHub Workflow, enabling attackers to gain `pull-requests` write access.", "problemTypes": [{"descriptions": [{"cweId": "CWE-74", "lang": "en", "description": "CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/monkeytypegame/monkeytype/security/advisories/GHSA-wcjf-5464-4wq9", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/monkeytypegame/monkeytype/security/advisories/GHSA-wcjf-5464-4wq9"}, {"name": "https://github.com/monkeytypegame/monkeytype/commit/29627fd0d5f152e2da59671987090ea0a5c29874", "tags": ["x_refsource_MISC"], "url": "https://github.com/monkeytypegame/monkeytype/commit/29627fd0d5f152e2da59671987090ea0a5c29874"}, {"name": "https://securitylab.github.com/advisories/GHSL-2024-167_monkeytype", "tags": ["x_refsource_MISC"], "url": "https://securitylab.github.com/advisories/GHSL-2024-167_monkeytype"}], "affected": [{"vendor": "monkeytypegame", "product": "monkeytype", "versions": [{"version": "< 24.30.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-08-02T14:46:21.941Z"}, "descriptions": [{"lang": "en", "value": "Monkeytype is a minimalistic and customizable typing test. Monkeytype is vulnerable to Poisoned Pipeline Execution through Code Injection in its ci-failure-comment.yml GitHub Workflow, enabling attackers to gain pull-requests write access. The ci-failure-comment.yml workflow is triggered when the Monkey CI workflow completes. When it runs, it will download an artifact uploaded by the triggering workflow and assign the contents of ./pr_num/pr_num.txt artifact to the steps.pr_num_reader.outputs.content WorkFlow variable. It is not validated that the variable is actually a number and later it is interpolated into a JS script allowing an attacker to change the code to be executed. This issue leads to pull-requests write access. This vulnerability is fixed in 24.30.0."}], "source": {"advisory": "GHSA-wcjf-5464-4wq9", "discovery": "UNKNOWN"}}, "adp": [{"affected": [{"vendor": "monkeytype", "product": "monkeytype", "cpes": ["cpe:2.3:a:monkeytype:monkeytype:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "24.30.0", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-08-02T16:48:39.585270Z", "id": "CVE-2024-41127", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-02T16:52:08.440Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-41127", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-07-15T15:53:28.323Z", "datePublished": "2024-08-02T14:46:21.941Z", "dateUpdated": "2024-08-02T16:52:08.440Z"}, "containers": {"cna": {"title": "Monkeytype is vulnerable to Poisoned Pipeline Execution through Code Injection in its `ci-failure-comment.yml` GitHub Workflow, enabling attackers to gain `pull-requests` write access.", "problemTypes": [{"descriptions": [{"cweId": "CWE-74", "lang": "en", "description": "CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/monkeytypegame/monkeytype/security/advisories/GHSA-wcjf-5464-4wq9", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/monkeytypegame/monkeytype/security/advisories/GHSA-wcjf-5464-4wq9"}, {"name": "https://github.com/monkeytypegame/monkeytype/commit/29627fd0d5f152e2da59671987090ea0a5c29874", "tags": ["x_refsource_MISC"], "url": "https://github.com/monkeytypegame/monkeytype/commit/29627fd0d5f152e2da59671987090ea0a5c29874"}, {"name": "https://securitylab.github.com/advisories/GHSL-2024-167_monkeytype", "tags": ["x_refsource_MISC"], "url": "https://securitylab.github.com/advisories/GHSL-2024-167_monkeytype"}], "affected": [{"vendor": "monkeytypegame", "product": "monkeytype", "versions": [{"version": "< 24.30.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-08-02T14:46:21.941Z"}, "descriptions": [{"lang": "en", "value": "Monkeytype is a minimalistic and customizable typing test. Monkeytype is vulnerable to Poisoned Pipeline Execution through Code Injection in its ci-failure-comment.yml GitHub Workflow, enabling attackers to gain pull-requests write access. The ci-failure-comment.yml workflow is triggered when the Monkey CI workflow completes. When it runs, it will download an artifact uploaded by the triggering workflow and assign the contents of ./pr_num/pr_num.txt artifact to the steps.pr_num_reader.outputs.content WorkFlow variable. It is not validated that the variable is actually a number and later it is interpolated into a JS script allowing an attacker to change the code to be executed. This issue leads to pull-requests write access. This vulnerability is fixed in 24.30.0."}], "source": {"advisory": "GHSA-wcjf-5464-4wq9", "discovery": "UNKNOWN"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-41127", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-08-02T16:48:39.585270Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:monkeytype:monkeytype:*:*:*:*:*:*:*:*"], "vendor": "monkeytype", "product": "monkeytype", "versions": [{"status": "affected", "version": "0", "lessThan": "24.30.0", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-02T16:52:04.068Z"}}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:monkeytype:monkeytype:*:*:*:*:*:*:*:*", "matchCriteriaId": "6D09169A-F904-4F72-9084-912E77340CA1", "versionEndExcluding": "24.30.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Monkeytype is a minimalistic and customizable typing test. Monkeytype is vulnerable to Poisoned Pipeline Execution through Code Injection in its ci-failure-comment.yml GitHub Workflow, enabling attackers to gain pull-requests write access. The ci-failure-comment.yml workflow is triggered when the Monkey CI workflow completes. When it runs, it will download an artifact uploaded by the triggering workflow and assign the contents of ./pr_num/pr_num.txt artifact to the steps.pr_num_reader.outputs.content WorkFlow variable. It is not validated that the variable is actually a number and later it is interpolated into a JS script allowing an attacker to change the code to be executed. This issue leads to pull-requests write access. This vulnerability is fixed in 24.30.0."}, {"lang": "es", "value": "Monkeytype es una prueba de mecanograf\u00eda minimalista y personalizable. Monkeytype es vulnerable a la ejecuci\u00f3n de canalizaci\u00f3n envenenada mediante inyecci\u00f3n de c\u00f3digo en su flujo de trabajo de GitHub ci-failure-comment.yml, lo que permite a los atacantes obtener acceso de escritura a solicitudes de extracci\u00f3n. El flujo de trabajo ci-failure-comment.yml se activa cuando se completa el flujo de trabajo de Monkey CI. Cuando se ejecute, descargar\u00e1 un artefacto cargado por el flujo de trabajo desencadenante y asignar\u00e1 el contenido del artefacto ./pr_num/pr_num.txt a la variable de flujo de trabajo steps.pr_num_reader.outputs.content. No se valida que la variable sea en realidad un n\u00famero y luego se interpola en un script JS que permite a un atacante cambiar el c\u00f3digo a ejecutar. Este problema conduce al acceso de escritura de las solicitudes de extracci\u00f3n. Esta vulnerabilidad se solucion\u00f3 en 24.30.0."}], "id": "CVE-2024-41127", "lastModified": "2024-09-11T14:52:15.690", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.6, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 6.0, "source": "[email protected]", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.3, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 6.0, "source": "[email protected]", "type": "Secondary"}]}, "published": "2024-08-02T15:16:36.503", "references": [{"source": "[email protected]", "tags": ["Patch"], "url": "https://github.com/monkeytypegame/monkeytype/commit/29627fd0d5f152e2da59671987090ea0a5c29874"}, {"source": "[email protected]", "tags": ["Vendor Advisory"], "url": "https://github.com/monkeytypegame/monkeytype/security/advisories/GHSA-wcjf-5464-4wq9"}, {"source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"], "url": "https://securitylab.github.com/advisories/GHSL-2024-167_monkeytype"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}], "source": "[email protected]", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-74"}], "source": "[email protected]", "type": "Secondary"}]}

Metrics

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

Exploitation poc

Automatable no

Technical Impact total

Affected Vendors & Products

Metrics

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

Exploitation poc

Automatable no

Technical Impact total

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object