CVE-2024-42471
published 2024-09-02CVE-2024-42471: actions/artifact is the GitHub ToolKit for developing GitHub Actions. Versions of `actions/artifact` on the 2.x branch before 2.1.2 are vulnerable to arbitrary…
PriorityP258high7.5CVSS 3.1
AVNACLPRNUINSUCNIHAN
EXPLOIT
EPSS
3.04%
85.9th percentile
actions/artifact is the GitHub ToolKit for developing GitHub Actions. Versions of `actions/artifact` on the 2.x branch before 2.1.2 are vulnerable to arbitrary file write when using `downloadArtifactInternal`, `downloadArtifactPublic`, or `streamExtractExternal` for extracting a specifically crafted artifact that contains path traversal filenames. Users are advised to upgrade to version 2.1.2 or higher. There are no known workarounds for this issue.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| actions | artifact | >= 2.0.0 < 2.1.2 | 2.1.2 |
| actions | download-artifact | >= 4.0.0 < 4.1.3 | 4.1.3 |
| actions | toolkit | — | — |
| github | actions_artifact | >= 2.0.0 < 2.1.7 | 2.1.7 |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect ZIP archives containing entries with path traversal sequences (e.g., '../../') in their arcname/filename fields, which is the delivery mechanism for this arbitrary file write exploit. ↗
- →Monitor calls to `downloadArtifactInternal`, `downloadArtifactPublic`, or `streamExtractExternal` in actions/artifact versions on the 2.x branch before 2.1.2 for path traversal filenames within extracted artifacts. ↗
- →Flag ZIP archive extraction where any entry filename resolves outside the intended destination directory after normalization — indicative of a Zip Slip / path traversal attack targeting unzip-stream 0.3.1. ↗
- ·Only actions/artifact 2.x branch versions prior to 2.1.2 are affected; version 2.1.2 and higher are patched. There are no known workarounds other than upgrading. ↗
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
ghsa7.5HIGH
osv7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
@actions/artifact has an Arbitrary File Write via artifact extraction
osv·2024-09-03·CVSS 7.5
CVE-2024-42471 [HIGH] @actions/artifact has an Arbitrary File Write via artifact extraction
@actions/artifact has an Arbitrary File Write via artifact extraction
### Impact
Versions of `actions/artifact` before 2.1.7 are vulnerable to arbitrary file write when using `downloadArtifactInternal`, `downloadArtifactPublic`, or `streamExtractExternal` for extracting a specifically crafted artifact that contains path traversal filenames.
### Patches
Upgrade to version 2.1.7 or higher.
### References
- https://snyk.io/research/zip-slip-vulnerability
- https://github.com/actions/toolkit/pull/1724
### CVE
CVE-2024-42471
### Credits
Justin Taft from Google
GHSA
@actions/artifact has an Arbitrary File Write via artifact extraction
ghsa·2024-09-03·CVSS 7.5
CVE-2024-42471 [HIGH] CWE-22 @actions/artifact has an Arbitrary File Write via artifact extraction
@actions/artifact has an Arbitrary File Write via artifact extraction
### Impact
Versions of `actions/artifact` before 2.1.7 are vulnerable to arbitrary file write when using `downloadArtifactInternal`, `downloadArtifactPublic`, or `streamExtractExternal` for extracting a specifically crafted artifact that contains path traversal filenames.
### Patches
Upgrade to version 2.1.7 or higher.
### References
- https://snyk.io/research/zip-slip-vulnerability
- https://github.com/actions/toolkit/pull/1724
### CVE
CVE-2024-42471
### Credits
Justin Taft from Google
GHSA
@actions/download-artifact has an Arbitrary File Write via artifact extraction
ghsa·2024-09-03·CVSS 7.5
[HIGH] CWE-22 @actions/download-artifact has an Arbitrary File Write via artifact extraction
@actions/download-artifact has an Arbitrary File Write via artifact extraction
### Impact
Versions of `actions/download-artifact` before 4.1.3 are vulnerable to arbitrary file write when downloading and extracting a specifically crafted artifact that contains path traversal filenames.
### Patches
Upgrade to version 4.1.3 or higher. Alternatively use 'v4' tag which points to the latest and secure version.
### References
- https://snyk.io/research/zip-slip-vulnerability
- https://github.com/actions/download-artifact/releases/tag/v4.1.3
- https://github.com/actions/download-artifact/pull/299
### CVE
CVE-2024-42471
### Credits
Justin Taft from Google
No detection rules found.
No writeups or analysis indexed.
2024-09-02
Published