Skip to main content

Google discloses 'high' severity security flaw in GitHub

posted onNovember 3, 2020
by l33tdawg
Neowin
Credit: Neowin

Google's Project Zero team is well-known for discovering vulnerabilities and bugs in Google's own software as well as that developed by other companies. Its methodology involves identifying security flaws in software and privately reporting them to vendors, giving them 90 days to fix them before public disclosure. Depending upon the complexity of the fix required, it sometimes also offers additional days in the form of a grace period. In specific scenarios, companies may even be given less than the standard 90 days to fix issues before Google publicly announces them.

Over the past couple of years, the team has revealed major vulnerabilities in Windows, Windows 10 S, macOS kernel, and iOS, among others. A couple of days ago, the security team disclosed a zero-day exploit present in various versions of Windows, and today it has revealed a security flaw in GitHub.

The vulnerability has been classified as a "high" severity issue by Google Project Zero. We'll spare you the nitty-gritty technical details - and you're free to view them in detail here if you want - but the meat of the matter is that workflow commands in GitHub Actions are extremely vulnerable to injection attacks. For those unaware, workflow commands act as a communication channel between executed actions and the Action Runner.

Source

Tags

Security

You May Also Like

Recent News

Tuesday, November 19th

Friday, November 8th

Friday, November 1st

Tuesday, July 9th

Wednesday, July 3rd

Friday, June 28th

Thursday, June 27th

Thursday, June 13th

Wednesday, June 12th

Tuesday, June 11th