Cyber Resilience

CVE-2024-42482

Medium

Published: 12 August 2024

Published
12 August 2024
Modified
17 September 2024
KEV Added
Patch
CVSS Score v3.1 4.8 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
EPSS Score 0.0085 75.3th percentile
Risk Priority 10 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-42482 is a medium-severity Improper Neutralization of Delimiters (CWE-140) vulnerability in Fish-Shop Syntax-Check. Its CVSS base score is 4.8 (Medium).

Operationally, ranked in the top 24.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

fish-shop/syntax-check is a GitHub action for syntax checking fish shell files. Improper neutralization of delimiters in the `pattern` input (specifically the command separator `;` and command substitution characters `(` and `)`) mean that arbitrary command injection is possible by modification…

more

of the input value used in a workflow. This has the potential for exposure or exfiltration of sensitive information from the workflow runner, such as might be achieved by sending environment variables to an external entity. It is recommended that users update to the patched version `v1.6.12` or the latest release version `v2.0.0`, however remediation may be possible through careful control of workflows and the `pattern` input value used by this action.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

fish-shop
syntax-check
≤ 1.6.12

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References