Versio.io

CVE-2022-29220

Common vulnerabilities & exposures (CVE)

CVE databaseCVE database blogpostRelease & EoL database
 
Published at: - 31-05-2022 06:15
Last modified: - 15-06-2022 08:49
Total changes: - 4

Description

github-action-merge-dependabot is an action that automatically approves and merges dependabot pull requests (PRs). Prior to version 3.2.0, github-action-merge-dependabot does not check if a commit created by dependabot is verified with the proper GPG key. There is just a check if the actor is set to `dependabot[bot]` to determine if the PR is a legit PR. Theoretically, an owner of a seemingly valid and legit action in the pipeline can check if the PR is created by dependabot and if their own action has enough permissions to modify the PR in the pipeline. If so, they can modify the PR by adding a second seemingly valid and legit commit to the PR, as they can set arbitrarily the username and email in for commits in git. Because the bot only checks if the actor is valid, it would pass the malicious changes through and merge the PR automatically, without getting noticed by project maintainers. It would probably not be possible to determine where the malicious commit came from, as it would only say `dependabot[bot]` and the corresponding email-address. Version 3.2.0 contains a patch for this issue.

Common Vulnerability Scoring System (CVSS)

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Low
Attack complexity
Network
Attack vector
None
Availability
None
Confidentiality
High
Integrity
Low
Privileges required
Unchanged
Scope
None
User interaction
6.5
Base score
2.8
3.6
Exploitability score
Impact score
 

Verification logic

OR
vendor=fastify AND product=github_action_merge_dependabot AND version=-
vendor=fastify AND product=github_action_merge_dependabot AND version=1.0.0
vendor=fastify AND product=github_action_merge_dependabot AND version=1.0.1
vendor=fastify AND product=github_action_merge_dependabot AND version=1.1.0
vendor=fastify AND product=github_action_merge_dependabot AND version=1.1.1
vendor=fastify AND product=github_action_merge_dependabot AND version=1.2.0
vendor=fastify AND product=github_action_merge_dependabot AND version=1.2.1
vendor=fastify AND product=github_action_merge_dependabot AND version=2.0.0
vendor=fastify AND product=github_action_merge_dependabot AND version=2.1.0
vendor=fastify AND product=github_action_merge_dependabot AND version=2.1.1
vendor=fastify AND product=github_action_merge_dependabot AND version=2.2.0
vendor=fastify AND product=github_action_merge_dependabot AND version=2.3.0
vendor=fastify AND product=github_action_merge_dependabot AND version=2.4.0
vendor=fastify AND product=github_action_merge_dependabot AND version=2.5.0
vendor=fastify AND product=github_action_merge_dependabot AND version=2.6.0
vendor=fastify AND product=github_action_merge_dependabot AND version=2.7.0
vendor=fastify AND product=github_action_merge_dependabot AND version=2.7.1
vendor=fastify AND product=github_action_merge_dependabot AND version=3.0.0
vendor=fastify AND product=github_action_merge_dependabot AND version=3.0.1
vendor=fastify AND product=github_action_merge_dependabot AND version=3.0.2
vendor=fastify AND product=github_action_merge_dependabot AND version=3.1.0
vendor=fastify AND product=github_action_merge_dependabot AND version=3.1.1
vendor=fastify AND product=github_action_merge_dependabot AND version=3.1.2
vendor=fastify AND product=github_action_merge_dependabot AND version=3.1.3
vendor=fastify AND product=github_action_merge_dependabot AND version=3.1.4
vendor=fastify AND product=github_action_merge_dependabot AND version=3.1.5
vendor=fastify AND product=github_action_merge_dependabot AND version=3.1.6
vendor=fastify AND product=github_action_merge_dependabot AND version=3.1.7
vendor=fastify AND product=github_action_merge_dependabot AND version=3.1
vendor=fastify AND product=github_action_merge_dependabot AND version=3.2
 

Reference

 


Keywords

NVD

 

CVE-2022-29220

 

CVE

 

Common vulnerabilities & exposures

 

CVSS

 

Common vulnerability scoring system

 

Security

 

Vulnerabilities

 

Exposures

 

We use cookies to ensure that we give you the best experience on our website. Read privacy policies for more information.