cbcvebase.
CVE-2024-42471
published 2024-09-02

CVE-2024-42471: actions/artifact is the GitHub ToolKit for developing GitHub Actions. Versions of `actions/artifact` on the 2.x branch before 2.1.2 are vulnerable to arbitrary…

PriorityP258high7.5CVSS 3.1
AVNACLPRNUINSUCNIHAN
EXPLOIT
EPSS
3.04%
85.9th percentile
actions/artifact is the GitHub ToolKit for developing GitHub Actions. Versions of `actions/artifact` on the 2.x branch before 2.1.2 are vulnerable to arbitrary file write when using `downloadArtifactInternal`, `downloadArtifactPublic`, or `streamExtractExternal` for extracting a specifically crafted artifact that contains path traversal filenames. Users are advised to upgrade to version 2.1.2 or higher. There are no known workarounds for this issue.

Affected

4 ranges
VendorProductVersion rangeFixed in
actionsartifact>= 2.0.0 < 2.1.22.1.2
actionsdownload-artifact>= 4.0.0 < 4.1.34.1.3
actionstoolkit
githubactions_artifact>= 2.0.0 < 2.1.72.1.7

Detection & IOCsextracted from sources · hover to see the quote

pathhack/../../../../../../../../../../../../../../
  • Detect ZIP archives containing entries with path traversal sequences (e.g., '../../') in their arcname/filename fields, which is the delivery mechanism for this arbitrary file write exploit.
  • Monitor calls to `downloadArtifactInternal`, `downloadArtifactPublic`, or `streamExtractExternal` in actions/artifact versions on the 2.x branch before 2.1.2 for path traversal filenames within extracted artifacts.
  • Flag ZIP archive extraction where any entry filename resolves outside the intended destination directory after normalization — indicative of a Zip Slip / path traversal attack targeting unzip-stream 0.3.1.
  • ·Only actions/artifact 2.x branch versions prior to 2.1.2 are affected; version 2.1.2 and higher are patched. There are no known workarounds other than upgrading.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
ghsa7.5HIGH
osv7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.