Vulmon
Recent Vulnerabilities
Research Posts
Trends
Blog
About
Contact
Vulmon Alerts
By Relevance
By Risk Score
By Publish Date
github runner vulnerabilities and exploits
(subscribe to this query)
9.9
CVSSv3
CVE-2022-39321
GitHub Actions Runner is the application that runs a job from a GitHub Actions workflow. The actions runner invokes the docker cli directly in order to run job containers, service containers, or container actions. A bug in the logic for how the environment is encoded into these d...
Github Runner
9.8
CVSSv3
CVE-2023-51664
tj-actions/changed-files is a Github action to retrieve all files and directories. before 41.0.0, the `tj-actions/changed-files` workflow allows for command injection in changed filenames, allowing an malicious user to execute arbitrary code and potentially leak secrets. This iss...
Tj-actions Changed-files
9.8
CVSSv3
CVE-2021-22869
An improper access control vulnerability in GitHub Enterprise Server allowed a workflow job to execute in a self-hosted runner group it should not have had access to. This affects customers using self-hosted runner groups for access control. A repository with access to one enterp...
Github Enterprise Server
9.8
CVSSv3
CVE-2020-14188
The preprocessArgs function in the Atlassian gajira-create GitHub Action before version 2.0.1 allows remote malicious users to execute arbitrary code in the context of a GitHub runner by creating a specially crafted GitHub issue.
Atlassian Jira Create
9.8
CVSSv3
CVE-2020-14189
The execute function in in the Atlassian gajira-comment GitHub Action before version 2.0.2 allows remote malicious users to execute arbitrary code in the context of a GitHub runner by creating a specially crafted GitHub issue comment.
Atlassian Jira Comment
8.8
CVSSv3
CVE-2023-52137
The [`tj-actions/verify-changed-files`](https://github.com/tj-actions/verify-changed-files) action allows for command injection in changed filenames, allowing an malicious user to execute arbitrary code and potentially leak secrets. The [`verify-changed-files`](https://github.com...
Tj-actions Verify-changed-files
8.8
CVSSv3
CVE-2023-26493
Cocos Engine is an open-source framework for building 2D & 3D real-time rendering and interactive content. In the github repo for Cocos Engine the `web-interface-check.yml` was subject to command injection. The `web-interface-check.yml` was triggered when a pull request was o...
Cocos Cocos-engine
8.8
CVSSv3
CVE-2023-22381
A code injection vulnerability was identified in GitHub Enterprise Server that allowed setting arbitrary environment variables from a single environment variable value in GitHub Actions when using a Windows based runner. To exploit this vulnerability, an attacker would need exist...
Github Enterprise Server
8.1
CVSSv3
CVE-2023-28430
OneSignal is an email, sms, push notification, and in-app message service for mobile apps.The Zapier.yml workflow is triggered on issues (types: [closed]) (i.e., when an Issue is closed). The workflow starts with full write-permissions GitHub repository token since the default wo...
Onesignal React-native-onesignal
7
CVSSv3
CVE-2023-23939
Azure/setup-kubectl is a GitHub Action for installing Kubectl. This vulnerability only impacts versions before version 3. An insecure temporary creation of a file allows other actors on the Actions runner to replace the Kubectl binary created by this action because it is world wr...
Microsoft Azure Setup Kubectl
CVSSv3
CVSSv2
CVSSv3
VMScore
Recommendations:
SSTI
CVE-2024-35863
CVE-2024-35910
man-in-the-middle
CVE-2024-35912
CVE-2024-25742
LFI
CVE-2024-32002
CVE-2024-22120
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started
1
2
NEXT »