CVE-2024-41127

Monkeytype is a minimalistic and customizable typing test. Monkeytype is vulnerable to Poisoned Pipeline Execution through Code Injection in its ci-failure-comment.yml GitHub Workflow, enabling attackers to gain pull-requests write access. The ci-failure-comment.yml workflow is triggered when the Monkey CI workflow completes. When it runs, it will download an artifact uploaded by the triggering workflow and assign the contents of ./pr_num/pr_num.txt artifact to the steps.pr_num_reader.outputs.content WorkFlow variable. It is not validated that the variable is actually a number and later it is interpolated into a JS script allowing an attacker to change the code to be executed. This issue leads to pull-requests write access. This vulnerability is fixed in 24.30.0.
Configurations

Configuration 1 (hide)

cpe:2.3:a:monkeytype:monkeytype:*:*:*:*:*:*:*:*

History

11 Sep 2024, 14:52

Type Values Removed Values Added
References () https://github.com/monkeytypegame/monkeytype/commit/29627fd0d5f152e2da59671987090ea0a5c29874 - () https://github.com/monkeytypegame/monkeytype/commit/29627fd0d5f152e2da59671987090ea0a5c29874 - Patch
References () https://github.com/monkeytypegame/monkeytype/security/advisories/GHSA-wcjf-5464-4wq9 - () https://github.com/monkeytypegame/monkeytype/security/advisories/GHSA-wcjf-5464-4wq9 - Vendor Advisory
References () https://securitylab.github.com/advisories/GHSL-2024-167_monkeytype - () https://securitylab.github.com/advisories/GHSL-2024-167_monkeytype - Exploit, Third Party Advisory
CPE cpe:2.3:a:monkeytype:monkeytype:*:*:*:*:*:*:*:*
CVSS v2 : unknown
v3 : 8.3
v2 : unknown
v3 : 9.6
CWE CWE-94
First Time Monkeytype
Monkeytype monkeytype

05 Aug 2024, 12:41

Type Values Removed Values Added
Summary
  • (es) Monkeytype es una prueba de mecanografía minimalista y personalizable. Monkeytype es vulnerable a la ejecución de canalización envenenada mediante inyección de código en su flujo de trabajo de GitHub ci-failure-comment.yml, lo que permite a los atacantes obtener acceso de escritura a solicitudes de extracción. El flujo de trabajo ci-failure-comment.yml se activa cuando se completa el flujo de trabajo de Monkey CI. Cuando se ejecute, descargará un artefacto cargado por el flujo de trabajo desencadenante y asignará el contenido del artefacto ./pr_num/pr_num.txt a la variable de flujo de trabajo steps.pr_num_reader.outputs.content. No se valida que la variable sea en realidad un número y luego se interpola en un script JS que permite a un atacante cambiar el código a ejecutar. Este problema conduce al acceso de escritura de las solicitudes de extracción. Esta vulnerabilidad se solucionó en 24.30.0.

02 Aug 2024, 15:16

Type Values Removed Values Added
New CVE

Information

Published : 2024-08-02 15:16

Updated : 2024-09-11 14:52


NVD link : CVE-2024-41127

Mitre link : CVE-2024-41127

CVE.ORG link : CVE-2024-41127


JSON object : View

Products Affected

monkeytype

  • monkeytype
CWE
CWE-94

Improper Control of Generation of Code ('Code Injection')

CWE-74

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')