CVE-2024-42471

moderate-risk

Published 2024-09-02

actions/artifact is the GitHub ToolKit for developing GitHub Actions. Versions of `actions/artifact` on the 2.x branch before 2.1.2 are vulnerable to arbitrary file write when using `downloadArtifactInternal`, `downloadArtifactPublic`, or `streamExtractExternal` for extracting a specifically crafted artifact that contains path traversal filenames. Users are advised to upgrade to version 2.1.2 or higher. There are no known workarounds for this issue.

Do I need to act?

7.7% chance of exploitation in next 30 days

EPSS score — moderate exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

1 public exploit available

52276

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 7.3/10 High

NETWORK / LOW complexity

Affected Products (2)

Actions\/Artifact

Actions Toolkit

Affected Vendors

Github

References (3)

https://github.com/actions/toolkit/pull/1666

Vendor Advisory https://github.com/actions/toolkit/security/advisories/GHSA-6q32-hq47-5qq3

Not Applicable https://snyk.io/research/zip-slip-vulnerability

/ 100

moderate-risk

Severity 26/34 · High

Exploitability 10/34 · Low

Exposure 7/34 · Low