How We Found Another GitHub Action Environment Injection Vulnerability in a Google Project | allinfosecnews.com

July 3, 2023, 6 p.m. | noam@legitsecurity.com (Noam Dotan)

Legit Security Blog www.legitsecurity.com

This blog shows another case of GitHub Actions environment injection vulnerability in a Google repository. The previous case where we found vulnerabilities in Firebase repositories can be found here with a detailed explanation of the underline mechanism that allows this type of vulnerabilities. By exploiting this vulnerability an attack could put Google’s Orbit users and maintainers at risk by injecting malicious code, conducting phishing attacks and more, depending on the project specific configuration.

action actions blog case environment exploiting firebase github github action github actions google injection legit project repositories repository threats vulnerabilities vulnerability

More from www.legitsecurity.com / Legit Security Blog

Dependency Confusion Vulnerability Found in an Archived Apache Project 1 week, 1 day ago | www.legitsecurity.com

apache appsec best practices dependency +10

The Role of ASPM in Enhancing Software Supply Chain Security 1 week, 5 days ago | www.legitsecurity.com

appsec aspm best practices critical +14

How to Reduce the Risk of Using External AI Models in Your SDLC 2 weeks, 4 days ago | www.legitsecurity.com

address ai models appsec best practices +5

Securing the Software Supply Chain: Risk Management Tips 4 weeks, 1 day ago | www.legitsecurity.com

appsec best practices can explainers +15

What You Need to Know About the XZ Utils Backdoor 1 month ago | www.legitsecurity.com

announcement appsec backdoor legit +3

How to Get the Most From Your Secrets Scanning 1 month ago | www.legitsecurity.com

amp appsec best practices code +17

Microsoft Under Attack by Russian Cyberattackers 1 month, 2 weeks ago | www.legitsecurity.com

appsec attack attackers best practices +11

Don't Miss These Emerging Trends in Cloud Application Security 1 month, 2 weeks ago | www.legitsecurity.com

application application security appsec best practices +9

Using AI to Reduce False Positives in Secrets Scanners 1 month, 2 weeks ago | www.legitsecurity.com

appsec best practices false positives legit +6

SOC 2 Manager, Audit and Certification

@ Deloitte | US and CA Multiple Locations

View on infosec-jobs.com

Cloud Security Engineer

@ Gainwell Technologies | Any city, OR, US, 99999

View on infosec-jobs.com

Federal Workday Security Lead

@ Accenture Federal Services | Arlington, VA

View on infosec-jobs.com

Workplace Consultant

@ Solvinity | Den Bosch, Noord-Brabant, Nederland

View on infosec-jobs.com

SrMgr-Global Information Security - Security Risk Management

@ Marriott International | Bethesda, MD, United States

View on infosec-jobs.com

Sr. Security Engineer - Data Loss Prevention

@ Verisk | Jersey City, NJ, United States

View on infosec-jobs.com