Versions of actions/artifact
before 2.1.7 are vulnerable to arbitrary file write when using downloadArtifactInternal
, downloadArtifactPublic
, or streamExtractExternal
for extracting a specifically crafted artifact that contains path traversal filenames.
Upgrade to version 2.1.7 or higher.
CVE-2024-42471
Justin Taft from Google
{ "nvd_published_at": "2024-09-02T18:15:35Z", "cwe_ids": [ "CWE-22" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2024-09-03T20:08:30Z" }