fkie_cve-2025-24362
Vulnerability from fkie_nvd
Published
2025-01-24 18:15
Modified
2025-03-31 14:15
Severity ?
7.1 (High) - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
Summary
In some circumstances, debug artifacts uploaded by the CodeQL Action after a failed code scanning workflow run may contain the environment variables from the workflow run, including any secrets that were exposed as environment variables to the workflow. Users with read access to the repository would be able to access this artifact, containing any secrets from the environment. This vulnerability is patched in CodeQL Action version 3.28.3 or later, or CodeQL CLI version 2.20.3 or later. For some affected workflow runs, the exposed environment variables in the debug artifacts included a valid `GITHUB_TOKEN` for the workflow run, which has access to the repository in which the workflow ran, and all the permissions specified in the workflow or job. The `GITHUB_TOKEN` is valid until the job completes or 24 hours has elapsed, whichever comes first. Environment variables are exposed only from workflow runs that satisfy all of the following conditions: - Code scanning workflow configured to scan the Java/Kotlin languages. - Running in a repository containing Kotlin source code. - Running with debug artifacts enabled. - Using CodeQL Action versions <= 3.28.2, and CodeQL CLI versions >= 2.9.2 (May 2022) and <= 2.20.2. - The workflow run fails before the CodeQL database is finalized within the `github/codeql-action/analyze` step. - Running in any GitHub environment: GitHub.com, GitHub Enterprise Cloud, and GitHub Enterprise Server. Note: artifacts are only accessible to users within the same GitHub environment with access to the scanned repo. The `GITHUB_TOKEN` exposed in this way would only have been valid for workflow runs that satisfy all of the following conditions, in addition to the conditions above: - Using CodeQL Action versions >= 3.26.11 (October 2024) and <= 3.28.2, or >= 2.26.11 and < 3. - Running in GitHub.com or GitHub Enterprise Cloud only (not valid on GitHub Enterprise Server). In rare cases during advanced setup, logging of environment variables may also occur during database creation of Java, Swift, and C/C++. Please read the corresponding CodeQL CLI advisory GHSA-gqh3-9prg-j95m for more details. In CodeQL CLI versions >= 2.9.2 and <= 2.20.2, the CodeQL Kotlin extractor logs all environment variables by default into an intermediate file during the process of creating a CodeQL database for Kotlin code. This is a part of the CodeQL CLI and is invoked by the CodeQL Action for analyzing Kotlin repositories. On Actions, the environment variables logged include GITHUB_TOKEN, which grants permissions to the repository being scanned. The intermediate file containing environment variables is deleted when finalizing the database, so it is not included in a successfully created database. It is, however, included in the debug artifact that is uploaded on a failed analysis run if the CodeQL Action was invoked in debug mode. Therefore, under these specific circumstances (incomplete database creation using the CodeQL Action in debug mode) an attacker with access to the debug artifact would gain unauthorized access to repository secrets from the environment, including both the `GITHUB_TOKEN` and any user-configured secrets made available via environment variables. The impact of the `GITHUB_TOKEN` leaked in this environment is limited: - For workflows on GitHub.com and GitHub Enterprise Cloud using CodeQL Action versions >= 3.26.11 and <= 3.28.2, or >= 2.26.11 and < 3, which in turn use the `actions/artifacts v4` library, the debug artifact is uploaded before the workflow job completes. During this time the `GITHUB_TOKEN` is still valid, providing an opportunity for attackers to gain access to the repository. - For all other workflows, the debug artifact is uploaded after the workflow job completes, at which point the leaked `GITHUB_TOKEN` has been revoked and cannot be used to access the repository.
References
security-advisories@github.comhttps://docs.github.com/en/code-security/code-scanning/troubleshooting-code-scanning/logs-not-detailed-enough
security-advisories@github.comhttps://github.com/github/codeql-action/commit/519de26711ecad48bde264c51e414658a82ef3fa
security-advisories@github.comhttps://github.com/github/codeql-action/pull/1074
security-advisories@github.comhttps://github.com/github/codeql-action/pull/2482
security-advisories@github.comhttps://github.com/github/codeql-action/security/advisories/GHSA-vqf5-2xx6-9wfm
security-advisories@github.comhttps://github.com/github/codeql-cli-binaries/security/advisories/GHSA-gqh3-9prg-j95m
af854a3a-2127-422b-91ae-364da2661108https://news.ycombinator.com/item?id=43527044
af854a3a-2127-422b-91ae-364da2661108https://www.praetorian.com/blog/codeqleaked-public-secrets-exposure-leads-to-supply-chain-attack-on-github-codeql/
Impacted products
Vendor Product Version


To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In some circumstances, debug artifacts uploaded by the CodeQL Action after a failed code scanning workflow run may contain the environment variables from the workflow run, including any secrets that were exposed as environment variables to the workflow. Users with read access to the repository would be able to access this artifact, containing any secrets from the environment. This vulnerability is patched in CodeQL Action version 3.28.3 or later, or CodeQL CLI version 2.20.3 or later.\n\nFor some affected workflow runs, the exposed environment variables in the debug artifacts included a valid `GITHUB_TOKEN` for the workflow run, which has access to the repository in which the workflow ran, and all the permissions specified in the workflow or job. The `GITHUB_TOKEN` is valid until the job completes or 24 hours has elapsed, whichever comes first.\n\nEnvironment variables are exposed only from workflow runs that satisfy all of the following conditions:\n- Code scanning workflow configured to scan the Java/Kotlin languages.\n- Running in a repository containing Kotlin source code.\n- Running with debug artifacts enabled.\n- Using CodeQL Action versions \u003c= 3.28.2, and CodeQL CLI versions \u003e= 2.9.2 (May 2022) and \u003c= 2.20.2.\n- The workflow run fails before the CodeQL database is finalized within the `github/codeql-action/analyze` step.\n- Running in any GitHub environment: GitHub.com, GitHub Enterprise Cloud, and GitHub Enterprise Server. Note: artifacts are only accessible to users within the same GitHub environment with access to the scanned repo.\n\nThe `GITHUB_TOKEN` exposed in this way would only have been valid for workflow runs that satisfy all of the following conditions, in addition to the conditions above:\n- Using CodeQL Action versions \u003e= 3.26.11 (October 2024) and \u003c= 3.28.2, or \u003e= 2.26.11 and \u003c 3.\n- Running in GitHub.com or GitHub Enterprise Cloud only (not valid on GitHub Enterprise Server).\n\nIn rare cases during advanced setup, logging of environment variables may also occur during database creation of Java, Swift, and C/C++. Please read the corresponding CodeQL CLI advisory GHSA-gqh3-9prg-j95m for more details.\n\nIn CodeQL CLI versions \u003e= 2.9.2 and \u003c= 2.20.2, the CodeQL Kotlin extractor logs all environment variables by default into an intermediate file during the process of creating a CodeQL database for Kotlin code. This is a part of the CodeQL CLI and is invoked by the CodeQL Action for analyzing Kotlin repositories. \n\nOn Actions, the environment variables logged include GITHUB_TOKEN, which grants permissions to the repository being scanned.\nThe intermediate file containing environment variables is deleted when finalizing the database, so it is not included in a successfully created database. It is, however, included in the debug artifact that is uploaded on a failed analysis run if the CodeQL Action was invoked in debug mode.\n\nTherefore, under these specific circumstances (incomplete database creation using the CodeQL Action in debug mode) an attacker with access to the debug artifact would gain unauthorized access to repository secrets from the environment, including both the `GITHUB_TOKEN` and any user-configured secrets made available via environment variables.\n\nThe impact of the `GITHUB_TOKEN` leaked in this environment is limited:\n- For workflows on GitHub.com and GitHub Enterprise Cloud using CodeQL Action versions \u003e= 3.26.11 and \u003c= 3.28.2, or \u003e= 2.26.11 and \u003c 3, which in turn use the `actions/artifacts v4` library, the debug artifact is uploaded before the workflow job completes. During this time the `GITHUB_TOKEN` is still valid, providing an opportunity for attackers to gain access to the repository.\n- For all other workflows, the debug artifact is uploaded after the workflow job completes, at which point the leaked `GITHUB_TOKEN` has been revoked and cannot be used to access the repository."
    },
    {
      "lang": "es",
      "value": "En algunas circunstancias, los artefactos de depuraci\u00f3n cargados por CodeQL Action despu\u00e9s de una ejecuci\u00f3n de flujo de trabajo de escaneo de c\u00f3digo fallida pueden contener las variables de entorno de la ejecuci\u00f3n del flujo de trabajo, incluidos los secretos que se expusieron como variables de entorno al flujo de trabajo. Los usuarios con acceso de lectura al repositorio podr\u00edan acceder a este artefacto, que contiene los secretos del entorno. Esta vulnerabilidad est\u00e1 parcheada en CodeQL Action versi\u00f3n 3.28.3 o posterior, o CodeQL CLI versi\u00f3n 2.20.3 o posterior. Para algunas ejecuciones de flujo de trabajo afectadas, las variables de entorno expuestas en los artefactos de depuraci\u00f3n inclu\u00edan un `GITHUB_TOKEN` v\u00e1lido para la ejecuci\u00f3n del flujo de trabajo, que tiene acceso al repositorio en el que se ejecut\u00f3 el flujo de trabajo y todos los permisos especificados en el flujo de trabajo o trabajo. El `GITHUB_TOKEN` es v\u00e1lido hasta que se complete el trabajo o transcurran 24 horas, lo que ocurra primero. Las variables de entorno se exponen solo desde ejecuciones de flujo de trabajo que satisfacen todas las siguientes condiciones: - Flujo de trabajo de escaneo de c\u00f3digo configurado para escanear los lenguajes Java/Kotlin. - Ejecuci\u00f3n en un repositorio que contiene c\u00f3digo fuente Kotlin. - Ejecuci\u00f3n con artefactos de depuraci\u00f3n habilitados. - Uso de versiones de CodeQL Action \u0026lt;= 3.28.2 y versiones de CodeQL CLI \u0026gt;= 2.9.2 (mayo de 2022) y \u0026lt;= 2.20.2. - La ejecuci\u00f3n del flujo de trabajo falla antes de que se finalice la base de datos de CodeQL dentro del paso `github/codeql-action/analyze`. - Ejecuci\u00f3n en cualquier entorno de GitHub: GitHub.com, GitHub Enterprise Cloud y GitHub Enterprise Server. Nota: los artefactos solo son accesibles para los usuarios dentro del mismo entorno de GitHub con acceso al repositorio escaneado. El `GITHUB_TOKEN` expuesto de esta manera solo habr\u00eda sido v\u00e1lido para ejecuciones de flujo de trabajo que satisfagan todas las siguientes condiciones, adem\u00e1s de las condiciones anteriores: - Usar versiones de CodeQL Action \u0026gt;= 3.26.11 (octubre de 2024) y \u0026lt;= 3.28.2, o \u0026gt;= 2.26.11 y \u0026lt; 3. - Ejecutarse solo en GitHub.com o GitHub Enterprise Cloud (no v\u00e1lido en GitHub Enterprise Server). En casos excepcionales durante la configuraci\u00f3n avanzada, tambi\u00e9n puede ocurrir el registro de variables de entorno durante la creaci\u00f3n de bases de datos de Java, Swift y C/C++. Lea el aviso correspondiente de CodeQL CLI GHSA-gqh3-9prg-j95m para obtener m\u00e1s detalles. En las versiones de CodeQL CLI \u0026gt;= 2.9.2 y \u0026lt;= 2.20.2, el extractor CodeQL Kotlin registra todas las variables de entorno de forma predeterminada en un archivo intermedio durante el proceso de creaci\u00f3n de una base de datos CodeQL para el c\u00f3digo Kotlin. Esta es una parte de la CLI de CodeQL y la invoca la Acci\u00f3n de CodeQL para analizar los repositorios de Kotlin. En las Acciones, las variables de entorno registradas incluyen GITHUB_TOKEN, que otorga permisos al repositorio que se est\u00e1 escaneando. El archivo intermedio que contiene las variables de entorno se elimina al finalizar la base de datos, por lo que no se incluye en una base de datos creada correctamente. Sin embargo, se incluye en el artefacto de depuraci\u00f3n que se carga en una ejecuci\u00f3n de an\u00e1lisis fallida si la Acci\u00f3n de CodeQL se invoc\u00f3 en modo de depuraci\u00f3n. Por lo tanto, en estas circunstancias espec\u00edficas (creaci\u00f3n de base de datos incompleta utilizando la Acci\u00f3n de CodeQL en modo de depuraci\u00f3n), un atacante con acceso al artefacto de depuraci\u00f3n obtendr\u00eda acceso no autorizado a los secretos del repositorio del entorno, incluido tanto el `GITHUB_TOKEN` como cualquier secreto configurado por el usuario que se haya puesto a disposici\u00f3n a trav\u00e9s de las variables de entorno. El impacto del `GITHUB_TOKEN` filtrado en este entorno es limitado: --- truncado ---"
    }
  ],
  "id": "CVE-2025-24362",
  "lastModified": "2025-03-31T14:15:18.993",
  "metrics": {
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "LOW",
          "attackRequirements": "NONE",
          "attackVector": "NETWORK",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 7.1,
          "baseSeverity": "HIGH",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "NOT_DEFINED",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "LOW",
          "providerUrgency": "NOT_DEFINED",
          "subAvailabilityImpact": "NONE",
          "subConfidentialityImpact": "NONE",
          "subIntegrityImpact": "NONE",
          "userInteraction": "NONE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnAvailabilityImpact": "NONE",
          "vulnConfidentialityImpact": "HIGH",
          "vulnIntegrityImpact": "NONE",
          "vulnerabilityResponseEffort": "NOT_DEFINED"
        },
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-01-24T18:15:32.383",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://docs.github.com/en/code-security/code-scanning/troubleshooting-code-scanning/logs-not-detailed-enough"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/github/codeql-action/commit/519de26711ecad48bde264c51e414658a82ef3fa"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/github/codeql-action/pull/1074"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/github/codeql-action/pull/2482"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/github/codeql-action/security/advisories/GHSA-vqf5-2xx6-9wfm"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/github/codeql-cli-binaries/security/advisories/GHSA-gqh3-9prg-j95m"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://news.ycombinator.com/item?id=43527044"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://www.praetorian.com/blog/codeqleaked-public-secrets-exposure-leads-to-supply-chain-attack-on-github-codeql/"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-532"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.