The GitHub developers have finally fixed a high-risk vulnerability that researchers from Google Project Zero reported to them more than three months ago . At that time, the vulnerability was known to affect the Actions function.
As a reminder, Actions is a workflow automation tool for developers. As Felix Wilhelm of Google Project Zero pointed out, Actions is vulnerable to a command injection attack.
Despite the high severity attributed to the vulnerability by Google experts, GitHub officials said it was a medium severity issue.
As a rule, Google Project Zero discloses information about the found vulnerabilities 90 days after notifying the developers. In this case, GitHub was dragging on for a long time, so the researchers were forced to publish the technical details after 104 days.
Now the developers have finally changed their minds and eliminated the vulnerability, as Wilhelm had originally suggested. To do this, it was enough to disable the “set-env” and “add-path” commands.
It’s a shame that the GitHub representatives had to wait two weeks after the details of the security issue were published.