NVD Vulnerability Detail

CVE-2021-32638

Summary	Github's CodeQL action is provided to run CodeQL-based code scanning on non-GitHub CI/CD systems and requires a GitHub access token to connect to a GitHub repository. The runner and its documentation previously suggested passing the GitHub token as a command-line parameter to the process instead of reading it from a file, standard input, or an environment variable. This approach made the token visible to other processes on the same machine, for example in the output of the `ps` command. If the CI system publicly exposes the output of `ps`, for example by logging the output, then the GitHub access token can be exposed beyond the scope intended. Users of the CodeQL runner on 3rd-party systems, who are passing a GitHub token via the `--github-auth` flag, are affected. This applies to both GitHub.com and GitHub Enterprise users. Users of the CodeQL Action on GitHub Actions are not affected. The `--github-auth` flag is now considered insecure and deprecated. The undocumented `--external-repository-token` flag has been removed. To securely provide a GitHub access token to the CodeQL runner, users should do one of the following instead: Use the `--github-auth-stdin` flag and pass the token on the command line via standard input OR set the `GITHUB_TOKEN` environment variable to contain the token, then call the command without passing in the token. The old flag remains present for backwards compatibility with existing workflows. If the user tries to specify an access token using the `--github-auth` flag, there is a deprecation warning printed to the terminal that directs the user to one of the above options. All CodeQL runner releases codeql-bundle-20210304 onwards contain the patches. We recommend updating to a recent version of the CodeQL runner, storing a token in your CI system's secret storage mechanism, and passing the token to the CodeQL runner using `--github-auth-stdin` or the `GITHUB_TOKEN` environment variable. If still using the old flag, ensure that process output, such as from `ps`, is not persisted in CI logs.
Publication Date	May 26, 2021, 2:15 a.m.
Registration Date	May 26, 2021, 10 a.m.
Last Update	Nov. 21, 2024, 3:07 p.m.

CVSS3.1 : MEDIUM
スコア	4.4
Vector	CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
攻撃元区分(AV)	ローカル
攻撃条件の複雑さ(AC)	低
攻撃に必要な特権レベル(PR)	高
利用者の関与(UI)	不要
影響の想定範囲(S)	変更なし
機密性への影響(C)	高
完全性への影響(I)	なし
可用性への影響(A)	なし

CVSS2.0 : LOW
Score	2.1
Vector	AV:L/AC:L/Au:N/C:P/I:N/A:N
攻撃元区分(AV)	ローカル
攻撃条件の複雑さ(AC)	低
攻撃前の認証要否(Au)	不要
機密性への影響(C)	低
完全性への影響(I)	なし
可用性への影響(A)	なし
Get all privileges.	いいえ
Get user privileges	いいえ
Get other privileges	いいえ
User operation required	いいえ

Affected software configurations

Configuration1		or higher	or less	more than	less than
cpe:2.3:a:github:codeql_action::::::::					20210304

Related information, measures and tools

No	URL	タグ
1	https://github.com/github/codeql-action/commit/58defc0652e935f6f2ffc70a82828b98d75476fb	Patch Third Party Advisory
2	https://github.com/github/codeql-action/commit/58defc0652e935f6f2ffc70a82828b98d75476fb	Patch Third Party Advisory
3	https://github.com/github/codeql-action/commit/88714e3a60e72ec53caa0e6a203652ee1f3fb1db	Patch Third Party Advisory
4	https://github.com/github/codeql-action/commit/88714e3a60e72ec53caa0e6a203652ee1f3fb1db	Patch Third Party Advisory
5	https://github.com/github/codeql-action/releases/tag/codeql-bundle-20210304	Third Party Advisory
6	https://github.com/github/codeql-action/releases/tag/codeql-bundle-20210304	Third Party Advisory
7	https://github.com/github/codeql-action/security/advisories/GHSA-g36v-2xff-pv5m	Exploit Mitigation Patch Third Party Advisory
8	https://github.com/github/codeql-action/security/advisories/GHSA-g36v-2xff-pv5m	Exploit Mitigation Patch Third Party Advisory
9	https://www.netmeister.org/blog/passing-passwords.html	Third Party Advisory
10	https://www.netmeister.org/blog/passing-passwords.html	Third Party Advisory

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-200	情報漏えい	https://cwe.mitre.org/data/definitions/200.html

JVN Vulnerability Information

Github CodeQL action における情報漏えいに関する脆弱性

Title	Github CodeQL action における情報漏えいに関する脆弱性
Summary	Github CodeQL action には、情報漏えいに関する脆弱性、および重要な情報を使用しているプロセスの呼び出しに関する脆弱性が存在します。
Possible impacts	情報を取得される可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	Feb. 17, 2021, midnight
Registration Date	March 15, 2022, 11:25 a.m.
Last Update	March 15, 2022, 11:25 a.m.

Affected System

GitHub

CodeQL action codeql-bundle-20210304 未満

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2021-32638	https://www.cve.org/CVERecord?id=CVE-2021-32638
National Vulnerability Database (NVD)
2	CVE-2021-32638	https://nvd.nist.gov/vuln/detail/CVE-2021-32638

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-200	https://jvndb.jvn.jp/ja/cwe/CWE-200.html
2	CWE-214	https://cwe.mitre.org/data/definitions/214.html

ベンダー情報

No	Name	URL
GitHub
1	Add capability to specify auth from env var or stdin	https://github.com/github/codeql-action/commit/88714e3a60e72ec53caa0e6a203652ee1f3fb1db
2	CodeQL runner: Command-line options that make GitHub access tokens visible to other processes are now deprecated	https://github.com/github/codeql-action/security/advisories/GHSA-g36v-2xff-pv5m
3	Remove --external-repository-token option from runner	https://github.com/github/codeql-action/commit/58defc0652e935f6f2ffc70a82828b98d75476fb

Change Log

No	Changed Details	Date of change
1	[2022年03月15日] 掲載	March 15, 2022, 11:25 a.m.