CVE-2021-21423 (GCVE-0-2021-21423)
Vulnerability from cvelistv5
Published
2021-04-06 18:35
Modified
2024-08-03 18:09
Severity ?
6.8 (Medium) - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N
CWE
  • CWE-527 - Exposure of Version-Control Repository to an Unauthorized Control Sphere
Summary
`projen` is a project generation tool that synthesizes project configuration files such as `package.json`, `tsconfig.json`, `.gitignore`, GitHub Workflows, `eslint`, `jest`, and more, from a well-typed definition written in JavaScript. Users of projen's `NodeProject` project type (including any project type derived from it) include a `.github/workflows/rebuild-bot.yml` workflow that may allow any GitHub user to trigger execution of un-trusted code in the context of the "main" repository (as opposed to that of a fork). In some situations, such untrusted code may potentially be able to commit to the "main" repository. The rebuild-bot workflow is triggered by comments including `@projen rebuild` on pull-request to trigger a re-build of the projen project, and updating the pull request with the updated files. This workflow is triggered by an `issue_comment` event, and thus always executes with a `GITHUB_TOKEN` belonging to the repository into which the pull-request is made (this is in contrast with workflows triggered by `pull_request` events, which always execute with a `GITHUB_TOKEN` belonging to the repository from which the pull-request is made). Repositories that do not have branch protection configured on their default branch (typically `main` or `master`) could possibly allow an untrusted user to gain access to secrets configured on the repository (such as NPM tokens, etc). Branch protection prohibits this escalation, as the managed `GITHUB_TOKEN` would not be able to modify the contents of a protected branch and affected workflows must be defined on the default branch.
References
Impacted products
Vendor Product Version
projen projen Version: >= 0.6.0, < 0.16.41
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T18:09:16.091Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/projen/projen/security/advisories/GHSA-gg2g-m5wc-vccq"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/projen/projen/commit/36030c6a4b1acd0054673322612e7c70e9446643"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.npmjs.com/package/projen"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "projen",
          "vendor": "projen",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 0.6.0, \u003c 0.16.41"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "`projen` is a project generation tool that synthesizes project configuration files such as `package.json`, `tsconfig.json`, `.gitignore`, GitHub Workflows, `eslint`, `jest`, and more, from a well-typed definition written in JavaScript. Users of projen\u0027s `NodeProject` project type (including any project type derived from it) include a `.github/workflows/rebuild-bot.yml` workflow that may allow any GitHub user to trigger execution of un-trusted code in the context of the \"main\" repository (as opposed to that of a fork). In some situations, such untrusted code may potentially be able to commit to the \"main\" repository. The rebuild-bot workflow is triggered by comments including `@projen rebuild` on pull-request to trigger a re-build of the projen project, and updating the pull request with the updated files. This workflow is triggered by an `issue_comment` event, and thus always executes with a `GITHUB_TOKEN` belonging to the repository into which the pull-request is made (this is in contrast with workflows triggered by `pull_request` events, which always execute with a `GITHUB_TOKEN` belonging to the repository from which the pull-request is made). Repositories that do not have branch protection configured on their default branch (typically `main` or `master`) could possibly allow an untrusted user to gain access to secrets configured on the repository (such as NPM tokens, etc). Branch protection prohibits this escalation, as the managed `GITHUB_TOKEN` would not be able to modify the contents of a protected branch and affected workflows must be defined on the default branch."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.8,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-527",
              "description": "CWE-527: Exposure of Version-Control Repository to an Unauthorized Control Sphere",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-04-06T18:35:14",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/projen/projen/security/advisories/GHSA-gg2g-m5wc-vccq"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/projen/projen/commit/36030c6a4b1acd0054673322612e7c70e9446643"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.npmjs.com/package/projen"
        }
      ],
      "source": {
        "advisory": "GHSA-gg2g-m5wc-vccq",
        "discovery": "UNKNOWN"
      },
      "title": "Exposure of Version-Control Repository to an Unauthorized Control Sphere in projen",
      "x_generator": {
        "engine": "Vulnogram 0.0.9"
      },
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2021-21423",
          "STATE": "PUBLIC",
          "TITLE": "Exposure of Version-Control Repository to an Unauthorized Control Sphere in projen"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "projen",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "\u003e= 0.6.0, \u003c 0.16.41"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "projen"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "`projen` is a project generation tool that synthesizes project configuration files such as `package.json`, `tsconfig.json`, `.gitignore`, GitHub Workflows, `eslint`, `jest`, and more, from a well-typed definition written in JavaScript. Users of projen\u0027s `NodeProject` project type (including any project type derived from it) include a `.github/workflows/rebuild-bot.yml` workflow that may allow any GitHub user to trigger execution of un-trusted code in the context of the \"main\" repository (as opposed to that of a fork). In some situations, such untrusted code may potentially be able to commit to the \"main\" repository. The rebuild-bot workflow is triggered by comments including `@projen rebuild` on pull-request to trigger a re-build of the projen project, and updating the pull request with the updated files. This workflow is triggered by an `issue_comment` event, and thus always executes with a `GITHUB_TOKEN` belonging to the repository into which the pull-request is made (this is in contrast with workflows triggered by `pull_request` events, which always execute with a `GITHUB_TOKEN` belonging to the repository from which the pull-request is made). Repositories that do not have branch protection configured on their default branch (typically `main` or `master`) could possibly allow an untrusted user to gain access to secrets configured on the repository (such as NPM tokens, etc). Branch protection prohibits this escalation, as the managed `GITHUB_TOKEN` would not be able to modify the contents of a protected branch and affected workflows must be defined on the default branch."
            }
          ]
        },
        "generator": {
          "engine": "Vulnogram 0.0.9"
        },
        "impact": {
          "cvss": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.8,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-527: Exposure of Version-Control Repository to an Unauthorized Control Sphere"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/projen/projen/security/advisories/GHSA-gg2g-m5wc-vccq",
              "refsource": "CONFIRM",
              "url": "https://github.com/projen/projen/security/advisories/GHSA-gg2g-m5wc-vccq"
            },
            {
              "name": "https://github.com/projen/projen/commit/36030c6a4b1acd0054673322612e7c70e9446643",
              "refsource": "MISC",
              "url": "https://github.com/projen/projen/commit/36030c6a4b1acd0054673322612e7c70e9446643"
            },
            {
              "name": "https://www.npmjs.com/package/projen",
              "refsource": "MISC",
              "url": "https://www.npmjs.com/package/projen"
            }
          ]
        },
        "source": {
          "advisory": "GHSA-gg2g-m5wc-vccq",
          "discovery": "UNKNOWN"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2021-21423",
    "datePublished": "2021-04-06T18:35:14",
    "dateReserved": "2020-12-22T00:00:00",
    "dateUpdated": "2024-08-03T18:09:16.091Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2021-21423\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2021-04-06T19:15:14.787\",\"lastModified\":\"2024-11-21T05:48:19.907\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"`projen` is a project generation tool that synthesizes project configuration files such as `package.json`, `tsconfig.json`, `.gitignore`, GitHub Workflows, `eslint`, `jest`, and more, from a well-typed definition written in JavaScript. Users of projen\u0027s `NodeProject` project type (including any project type derived from it) include a `.github/workflows/rebuild-bot.yml` workflow that may allow any GitHub user to trigger execution of un-trusted code in the context of the \\\"main\\\" repository (as opposed to that of a fork). In some situations, such untrusted code may potentially be able to commit to the \\\"main\\\" repository. The rebuild-bot workflow is triggered by comments including `@projen rebuild` on pull-request to trigger a re-build of the projen project, and updating the pull request with the updated files. This workflow is triggered by an `issue_comment` event, and thus always executes with a `GITHUB_TOKEN` belonging to the repository into which the pull-request is made (this is in contrast with workflows triggered by `pull_request` events, which always execute with a `GITHUB_TOKEN` belonging to the repository from which the pull-request is made). Repositories that do not have branch protection configured on their default branch (typically `main` or `master`) could possibly allow an untrusted user to gain access to secrets configured on the repository (such as NPM tokens, etc). Branch protection prohibits this escalation, as the managed `GITHUB_TOKEN` would not be able to modify the contents of a protected branch and affected workflows must be defined on the default branch.\"},{\"lang\":\"es\",\"value\":\"\u201cprojen\u201d es una herramienta de generaci\u00f3n de proyectos que sintetiza archivos de configuraci\u00f3n de proyectos como \u201cpackage.json\u201d, \u201ctsconfig.json\u201d, \u201c.gitignore\u201d, GitHub Workflows, \u201ceslint\u201d,\u201d jest`, y m\u00e1s, desde una definici\u00f3n well-typed escrita en JavaScript. Los usuarios de tipo de proyecto \u201cNodeProject\u201d de projen (incluido cualquier tipo de proyecto derivado de \u00e9l) incluyen un flujo de trabajo \u201c.github/workflows /rebuild-bot.yml\u201d que puede permitir que cualquier usuario de GitHub active la ejecuci\u00f3n de c\u00f3digo no confiable en el contexto del repositorio \\\"main\\\" (en contraposici\u00f3n al de una bifurcaci\u00f3n). En algunas situaciones, dicho c\u00f3digo que no es de confianza puede potencialmente ser capaz de comprometerse con el repositorio \\\"main\\\". El flujo de trabajo rebuild-bot es activado con comentarios que incluyen  \u201c@projen rebuild\u201d en la petici\u00f3n de extracci\u00f3n para activar un re-build del proyecto projen y la actualizaci\u00f3n de la petici\u00f3n de extracci\u00f3n con los archivos actualizados. Este flujo de trabajo es desencadenado por un evento \u201cissue_comment\u201d y, por lo tanto, siempre se ejecuta con un \u201cGITHUB_TOKEN\u201d que pertenece al repositorio en el que la petici\u00f3n de extracci\u00f3n es realizada (esto contrasta con los flujos de trabajo desencadenados por eventos \u201cpull_request\u201d, que siempre se ejecutan con un \u201cGITHUB_TOKEN\u201d perteneciente al repositorio desde el que la pull-request es realizada). Los repositorios que no contienen la protecci\u00f3n de rama configurada en su rama predeterminada (normalmente, \\\"main\\\" o \\\"master\\\") posiblemente podr\u00edan permitir a un usuario no confiable conseguir acceso a secretos configurados en el repositorio (como tokens NPM, etc.). La protecci\u00f3n de rama proh\u00edbe esta escalada, ya que el \\\"GITHUB_TOKEN\\\" administrado no podr\u00eda ser capaz de modificar el contenido de una rama protegida y los flujos de trabajo afectados deben definirse en la rama predeterminada\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N\",\"baseScore\":6.8,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.6,\"impactScore\":5.2},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N\",\"baseScore\":8.1,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":5.2}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:S/C:P/I:P/A:N\",\"baseScore\":5.5,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"SINGLE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.0,\"impactScore\":4.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-527\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:projen_project:projen:*:*:*:*:*:node.js:*:*\",\"versionStartIncluding\":\"0.6.0\",\"versionEndExcluding\":\"0.16.41\",\"matchCriteriaId\":\"A2E0EE70-F6DF-4821-ACC1-71E47B43303D\"}]}]}],\"references\":[{\"url\":\"https://github.com/projen/projen/commit/36030c6a4b1acd0054673322612e7c70e9446643\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/projen/projen/security/advisories/GHSA-gg2g-m5wc-vccq\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Mitigation\",\"Third Party Advisory\"]},{\"url\":\"https://www.npmjs.com/package/projen\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Product\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/projen/projen/commit/36030c6a4b1acd0054673322612e7c70e9446643\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/projen/projen/security/advisories/GHSA-gg2g-m5wc-vccq\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mitigation\",\"Third Party Advisory\"]},{\"url\":\"https://www.npmjs.com/package/projen\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Product\",\"Third Party Advisory\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.