CVE-2024-21623 – CVE-2024-21623 is an expression injection vulne... (How to Fix)

Q: What is the severity of CVE-2024-21623?

CVE-2024-21623 has a CVSS score of 9.8 (CRITICAL). CVE-2024-21623 is an expression injection vulnerability in OTClient's GitHub Actions workflow that allows remote code execution on GitHub runners. Attackers can execute arbitrary commands, leak secrets, and modify repositories through the vulnerable workflow. This affects OTClient users who run the 'Analysis - SonarCloud' GitHub Actions workflow prior to the fix.

📋 TL;DR

CVE-2024-21623 is an expression injection vulnerability in OTClient's GitHub Actions workflow that allows remote code execution on GitHub runners. Attackers can execute arbitrary commands, leak secrets, and modify repositories through the vulnerable workflow. This affects OTClient users who run the 'Analysis - SonarCloud' GitHub Actions workflow prior to the fix.

💻 Affected Systems

Products:

OTClient

Versions: All versions prior to commit db560de0b56476c87a2f967466407939196dd254

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems using the vulnerable GitHub Actions workflow. The vulnerability is in the CI/CD pipeline, not the OTClient software itself.

📦 What is this software?

Otclient by Mehah

View all CVEs affecting Otclient →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the GitHub runner, allowing attackers to steal repository secrets, inject malicious code into the repository, pivot to other systems, and maintain persistent access.

🟠

Likely Case

Unauthorized code execution leading to secret exfiltration (tokens, credentials) and potential repository manipulation or data theft.

🟢

If Mitigated

Limited impact with proper GitHub Actions security controls, secret management, and runner isolation in place.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires triggering the vulnerable GitHub Actions workflow, which can be done through pull requests or other workflow triggers.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Commit db560de0b56476c87a2f967466407939196dd254

Vendor Advisory: https://github.com/mehah/otclient/security/advisories/GHSA-q6gr-wc79-v589

Restart Required: No

Instructions:

1. Update to commit db560de0b56476c87a2f967466407939196dd254 or later. 2. Replace the vulnerable workflow file with the patched version. 3. Review and update any other workflows that may have similar patterns.

🔧 Temporary Workarounds

Disable vulnerable workflow

all

Temporarily disable the 'Analysis - SonarCloud' GitHub Actions workflow to prevent exploitation.

Navigate to repository Settings > Actions > Workflow permissions > Disable workflow

Implement workflow input validation

all

Add input validation and sanitization to GitHub Actions workflow files.

Review and modify workflow YAML files to validate all user inputs

🧯 If You Can't Patch

Disable GitHub Actions entirely for the repository
Implement strict branch protection rules and require manual approval for workflow runs

🔍 How to Verify

Check if Vulnerable:

Check if your .github/workflows/analysis-sonarcloud.yml file contains the vulnerable code pattern from lines 91-104 in the reference link.

Check Version:

git log --oneline -1

Verify Fix Applied:

Verify that your workflow file matches the patched version from commit db560de0b56476c87a2f967466407939196dd254.

📡 Detection & Monitoring

Log Indicators:

Unexpected workflow runs
Suspicious commands in GitHub Actions logs
Unauthorized repository modifications

Network Indicators:

Unusual outbound connections from GitHub runners
Unexpected API calls to external services

SIEM Query:

source="github-actions" AND (command="curl" OR command="wget" OR command="bash -c")

📊 Metadata

CVE ID: CVE-2024-21623

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-74

Published: January 2, 2024

Last Updated: November 21, 2024

🔗 References

https://github.com/mehah/otclient/blob/72744edc3b9913b920e0fd12e929604f682fda75/.github/workflows/analysis-sonarcloud.yml#L91-L104 Product
https://github.com/mehah/otclient/commit/db560de0b56476c87a2f967466407939196dd254 Patch
https://github.com/mehah/otclient/security/advisories/GHSA-q6gr-wc79-v589 Exploit,Vendor Advisory
https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ Exploit,Third Party Advisory
https://securitylab.github.com/research/github-actions-untrusted-input/ Exploit,Third Party Advisory
https://github.com/mehah/otclient/blob/72744edc3b9913b920e0fd12e929604f682fda75/.github/workflows/analysis-sonarcloud.yml#L91-L104 Product
https://github.com/mehah/otclient/commit/db560de0b56476c87a2f967466407939196dd254 Patch
https://github.com/mehah/otclient/security/advisories/GHSA-q6gr-wc79-v589 Exploit,Vendor Advisory
https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ Exploit,Third Party Advisory
https://securitylab.github.com/research/github-actions-untrusted-input/ Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-21623, you might also want to check these: