CVE-2022-39326 - Vulnerability Details - OpenCVE

kartverket/github-workflows are shared reusable workflows for GitHub Actions. Prior to version 2.7.5, all users of the `run-terraform` reusable workflow from the kartverket/github-workflows repo are affected by a code injection vulnerability. A malicious actor could potentially send a PR with a malicious payload leading to execution of arbitrary JavaScript code in the context of the workflow. Users should upgrade to at least version 2.7.5 to resolve the issue. As a workaround, review any pull requests from external users for malicious payloads before allowing them to trigger a build.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact total

Vendors	Products
Kartverket	Github-workflows

Configuration 1 [-]

cpe:2.3:a:kartverket:github-workflows:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/kartverket/github-workflows/pull/19
https://github.com/kartverket/github-workflows/releases/tag/v2.7.5
https://github.com/kartverket/github-workflows/security/advisories/GHSA-f9qj-7gh3-mhj4

History

Thu, 24 Apr 2025 08:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2022-10-25T00:00:00.000Z

Updated: 2025-04-23T16:44:28.558Z

Reserved: 2022-09-02T00:00:00.000Z

Link: CVE-2022-39326

Vulnrichment

Updated: 2024-08-03T12:00:44.038Z

NVD

Status : Modified

Published: 2022-10-25T17:15:56.087

Modified: 2024-11-21T07:18:02.640

Link: CVE-2022-39326

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2022-39326", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "dateUpdated": "2025-04-23T16:44:28.558Z", "dateReserved": "2022-09-02T00:00:00.000Z", "datePublished": "2022-10-25T00:00:00.000Z"}, "containers": {"cna": {"title": "kartverket/github-workflows's run-terraform allows for RCE via terraform plan", "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2022-10-25T00:00:00.000Z"}, "descriptions": [{"lang": "en", "value": "kartverket/github-workflows are shared reusable workflows for GitHub Actions. Prior to version 2.7.5, all users of the `run-terraform` reusable workflow from the kartverket/github-workflows repo are affected by a code injection vulnerability. A malicious actor could potentially send a PR with a malicious payload leading to execution of arbitrary JavaScript code in the context of the workflow. Users should upgrade to at least version 2.7.5 to resolve the issue. As a workaround, review any pull requests from external users for malicious payloads before allowing them to trigger a build."}], "affected": [{"vendor": "kartverket", "product": "github-workflows", "versions": [{"version": "< 2.7.5", "status": "affected"}]}], "references": [{"url": "https://github.com/kartverket/github-workflows/security/advisories/GHSA-f9qj-7gh3-mhj4"}, {"url": "https://github.com/kartverket/github-workflows/pull/19"}, {"url": "https://github.com/kartverket/github-workflows/releases/tag/v2.7.5"}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH"}}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-94: Improper Control of Generation of Code ('Code Injection')", "cweId": "CWE-94"}]}], "source": {"advisory": "GHSA-f9qj-7gh3-mhj4", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T12:00:44.038Z"}, "title": "CVE Program Container", "references": [{"url": "https://github.com/kartverket/github-workflows/security/advisories/GHSA-f9qj-7gh3-mhj4", "tags": ["x_transferred"]}, {"url": "https://github.com/kartverket/github-workflows/pull/19", "tags": ["x_transferred"]}, {"url": "https://github.com/kartverket/github-workflows/releases/tag/v2.7.5", "tags": ["x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-04-23T15:47:34.799415Z", "id": "CVE-2022-39326", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-23T16:44:28.558Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/kartverket/github-workflows/security/advisories/GHSA-f9qj-7gh3-mhj4", "tags": ["x_transferred"]}, {"url": "https://github.com/kartverket/github-workflows/pull/19", "tags": ["x_transferred"]}, {"url": "https://github.com/kartverket/github-workflows/releases/tag/v2.7.5", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T12:00:44.038Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2022-39326", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-04-23T15:47:34.799415Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-23T15:47:36.339Z"}}], "cna": {"title": "kartverket/github-workflows's run-terraform allows for RCE via terraform plan", "source": {"advisory": "GHSA-f9qj-7gh3-mhj4", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "kartverket", "product": "github-workflows", "versions": [{"status": "affected", "version": "< 2.7.5"}]}], "references": [{"url": "https://github.com/kartverket/github-workflows/security/advisories/GHSA-f9qj-7gh3-mhj4"}, {"url": "https://github.com/kartverket/github-workflows/pull/19"}, {"url": "https://github.com/kartverket/github-workflows/releases/tag/v2.7.5"}], "descriptions": [{"lang": "en", "value": "kartverket/github-workflows are shared reusable workflows for GitHub Actions. Prior to version 2.7.5, all users of the `run-terraform` reusable workflow from the kartverket/github-workflows repo are affected by a code injection vulnerability. A malicious actor could potentially send a PR with a malicious payload leading to execution of arbitrary JavaScript code in the context of the workflow. Users should upgrade to at least version 2.7.5 to resolve the issue. As a workaround, review any pull requests from external users for malicious payloads before allowing them to trigger a build."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-94", "description": "CWE-94: Improper Control of Generation of Code ('Code Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2022-10-25T00:00:00.000Z"}}}, "cveMetadata": {"cveId": "CVE-2022-39326", "state": "PUBLISHED", "dateUpdated": "2025-04-23T16:44:28.558Z", "dateReserved": "2022-09-02T00:00:00.000Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2022-10-25T00:00:00.000Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:kartverket:github-workflows:*:*:*:*:*:*:*:*", "matchCriteriaId": "9BE0EA3C-47ED-4B8A-8694-049BAA206417", "versionEndExcluding": "2.7.5", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "kartverket/github-workflows are shared reusable workflows for GitHub Actions. Prior to version 2.7.5, all users of the `run-terraform` reusable workflow from the kartverket/github-workflows repo are affected by a code injection vulnerability. A malicious actor could potentially send a PR with a malicious payload leading to execution of arbitrary JavaScript code in the context of the workflow. Users should upgrade to at least version 2.7.5 to resolve the issue. As a workaround, review any pull requests from external users for malicious payloads before allowing them to trigger a build."}, {"lang": "es", "value": "kartverket/github-workflows son flujos de trabajo reusables compartidos para las acciones de GitHub. versiones anteriores a 2.7.5, todos los usuarios del flujo de trabajo reusable \"run-terraform\" del repositorio kartverket/github-workflows est\u00e1n afectados por una vulnerabilidad de inyecci\u00f3n de c\u00f3digo. Un actor malicioso podr\u00eda enviar una RP con una carga \u00fatil maliciosa que conlleva a una ejecuci\u00f3n de c\u00f3digo JavaScript arbitrario en el contexto del flujo de trabajo. Los usuarios deben actualizar al menos a versi\u00f3n 2.7.5 para resolver el problema. Como mitigaci\u00f3n, revise cualquier petici\u00f3n de usuarios externos en busca de cargas \u00fatiles maliciosas antes de permitir que desencadenen una compilaci\u00f3n"}], "id": "CVE-2022-39326", "lastModified": "2024-11-21T07:18:02.640", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-10-25T17:15:56.087", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/kartverket/github-workflows/pull/19"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Release Notes", "Third Party Advisory"], "url": "https://github.com/kartverket/github-workflows/releases/tag/v2.7.5"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/kartverket/github-workflows/security/advisories/GHSA-f9qj-7gh3-mhj4"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/kartverket/github-workflows/pull/19"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Release Notes", "Third Party Advisory"], "url": "https://github.com/kartverket/github-workflows/releases/tag/v2.7.5"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://github.com/kartverket/github-workflows/security/advisories/GHSA-f9qj-7gh3-mhj4"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}], "source": "security-advisories@github.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-94"}], "source": "nvd@nist.gov", "type": "Primary"}]}