NVD Vulnerability Detail

Search Exploit, PoC

NVD脆弱性検索トップ

->

NVD Vulnerability Detail

CVE-2024-45798

Summary	arduino-esp32 is an Arduino core for the ESP32, ESP32-S2, ESP32-S3, ESP32-C3, ESP32-C6 and ESP32-H2 microcontrollers. The `arduino-esp32` CI is vulnerable to multiple Poisoned Pipeline Execution (PPE) vulnerabilities. Code injection in `tests_results.yml` workflow (`GHSL-2024-169`) and environment Variable injection (`GHSL-2024-170`). These issue have been addressed but users are advised to verify the contents of the downloaded artifacts.
Publication Date	Sept. 18, 2024, 4:15 a.m.
Registration Date	Sept. 18, 2024, noon
Last Update	Sept. 20, 2024, 9:30 p.m.

Related information, measures and tools

No	URL	refsource	タグ
1	https://github.com/espressif/arduino-esp32/security/advisories/GHSA-h52q-xhg2-6jw8
2	https://codeql.github.com/codeql-query-help/javascript/js-actions-command-injection
3	https://github.com/espressif/arduino-esp32/blob/690bdb511d9f001e2066da2dda2c631a3eee270f/.github/workflows/tests_results.yml
4	https://securitylab.github.com/research/github-actions-preventing-pwn-requests
5	https://securitylab.github.com/research/github-actions-untrusted-input

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-20	不適切な入力確認	https://cwe.mitre.org/data/definitions/20.html
2	CWE-78	OSコマンド・インジェクション	https://cwe.mitre.org/data/definitions/78.html
3	CWE-94	コード・インジェクション	https://cwe.mitre.org/data/definitions/94.html