CVE-2020-14188 – This vulnerability allows remote attackers to e... (How to Fix)

📋 TL;DR

This vulnerability allows remote attackers to execute arbitrary code on GitHub runners by creating specially crafted GitHub issues. It affects users of the Atlassian gajira-create GitHub Action before version 2.0.1. Attackers can compromise CI/CD pipelines and potentially access sensitive data or deploy malicious code.

💻 Affected Systems

Products:

Atlassian gajira-create GitHub Action

Versions: All versions before 2.0.1

Operating Systems: All platforms where GitHub Actions run

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in the preprocessArgs function which improperly handles user input from GitHub issues.

📦 What is this software?

Jira Create by Atlassian

View all CVEs affecting Jira Create →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of GitHub runner environment, allowing attackers to steal secrets, modify source code, deploy malicious artifacts, and pivot to internal systems.

🟠

Likely Case

Execution of arbitrary commands in CI/CD pipelines, potentially exposing secrets, modifying build artifacts, or disrupting development workflows.

🟢

If Mitigated

Limited impact if proper network segmentation and secret management are in place, though runner compromise could still occur.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires ability to create GitHub issues in repositories using the vulnerable action. Public proof-of-concept exists in the advisory.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.0.1

Vendor Advisory: https://github.com/atlassian/gajira-create/security/advisories/GHSA-4xqx-pqpj-9fqw

Restart Required: No

Instructions:

1. Update GitHub workflow files to use gajira-create@v2.0.1 or later
2. Replace any references to older versions in .github/workflows/*.yml files
3. Test workflows to ensure compatibility

🔧 Temporary Workarounds

Disable vulnerable action

all

Temporarily disable or remove the gajira-create action from workflows

# Comment out or remove uses: atlassian/gajira-create@v2 lines in workflow files

Restrict issue creation

all

Limit who can create GitHub issues in affected repositories

# Configure repository settings to restrict issue creation to trusted users

🧯 If You Can't Patch

Implement strict network segmentation for GitHub runners
Use ephemeral runners with minimal permissions and no persistent secrets

🔍 How to Verify

Check if Vulnerable:

Check .github/workflows/*.yml files for 'uses: atlassian/gajira-create@' with version less than 2.0.1

Check Version:

grep -r 'atlassian/gajira-create@' .github/workflows/

Verify Fix Applied:

Confirm workflow files reference gajira-create@v2.0.1 or later

📡 Detection & Monitoring

Log Indicators:

Unusual commands executed in GitHub Actions logs
Suspicious issue creation patterns
Unexpected network connections from runners

Network Indicators:

Outbound connections from GitHub runners to unexpected destinations
Unusual data exfiltration patterns

SIEM Query:

source="github-actions" AND (command_execution OR suspicious_process)

📊 Metadata

CVE ID: CVE-2020-14188

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Published: November 9, 2020

Last Updated: November 21, 2024

🔗 References

https://github.com/atlassian/gajira-create/security/advisories/GHSA-4xqx-pqpj-9fqw Third Party Advisory
https://github.com/atlassian/gajira-create/security/advisories/GHSA-4xqx-pqpj-9fqw Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON