{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/57030?format=json","vulnerability_id":"VCID-zhvb-naxf-rkfx","summary":"Monkeytype is a minimalistic and customizable typing test. Monkeytype is vulnerable to Poisoned Pipeline Execution through Code Injection in its ci-failure-comment.yml GitHub Workflow, enabling attackers to gain pull-requests write access. The ci-failure-comment.yml workflow is triggered when the Monkey CI workflow completes. When it runs, it will download an artifact uploaded by the triggering workflow and assign the contents of ./pr_num/pr_num.txt artifact to the steps.pr_num_reader.outputs.content WorkFlow variable. It is not validated that the variable is actually a number and later it is interpolated into a JS script allowing an attacker to change the code to be executed. This issue leads to pull-requests write access. This vulnerability is fixed in 24.30.0.","aliases":[{"alias":"CVE-2024-41127"}],"fixed_packages":[],"affected_packages":[],"references":[{"reference_url":"https://github.com/monkeytypegame/monkeytype/commit/29627fd0d5f152e2da59671987090ea0a5c29874","reference_id":"29627fd0d5f152e2da59671987090ea0a5c29874","reference_type":"","scores":[{"value":"8.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H"},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-08-02T16:48:39Z/"}],"url":"https://github.com/monkeytypegame/monkeytype/commit/29627fd0d5f152e2da59671987090ea0a5c29874"},{"reference_url":"https://github.com/monkeytypegame/monkeytype/security/advisories/GHSA-wcjf-5464-4wq9","reference_id":"GHSA-wcjf-5464-4wq9","reference_type":"","scores":[{"value":"8.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H"},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-08-02T16:48:39Z/"}],"url":"https://github.com/monkeytypegame/monkeytype/security/advisories/GHSA-wcjf-5464-4wq9"},{"reference_url":"https://securitylab.github.com/advisories/GHSL-2024-167_monkeytype","reference_id":"GHSL-2024-167_monkeytype","reference_type":"","scores":[{"value":"8.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H"},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-08-02T16:48:39Z/"}],"url":"https://securitylab.github.com/advisories/GHSL-2024-167_monkeytype"}],"weaknesses":[{"cwe_id":74,"name":"Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')","description":"The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component."}],"exploits":[],"severity_range_score":"8.4 - 8.4","exploitability":null,"weighted_severity":null,"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-zhvb-naxf-rkfx"}