// For flags

CVE-2022-29220

No verification of commits origin in github-action-merge-dependabot

Severity Score

6.5
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

github-action-merge-dependabot is an action that automatically approves and merges dependabot pull requests (PRs). Prior to version 3.2.0, github-action-merge-dependabot does not check if a commit created by dependabot is verified with the proper GPG key. There is just a check if the actor is set to `dependabot[bot]` to determine if the PR is a legit PR. Theoretically, an owner of a seemingly valid and legit action in the pipeline can check if the PR is created by dependabot and if their own action has enough permissions to modify the PR in the pipeline. If so, they can modify the PR by adding a second seemingly valid and legit commit to the PR, as they can set arbitrarily the username and email in for commits in git. Because the bot only checks if the actor is valid, it would pass the malicious changes through and merge the PR automatically, without getting noticed by project maintainers. It would probably not be possible to determine where the malicious commit came from, as it would only say `dependabot[bot]` and the corresponding email-address. Version 3.2.0 contains a patch for this issue.

github-action-merge-dependabot es una acción que aprueba y fusiona automáticamente las peticiones de pull (PR) de dependabot. En versiones anteriores a 3.2.0, github-action-merge-dependabot no comprueba si un commit creado por dependabot está verificado con la clave GPG adecuada. Sólo se presenta comprobación si el actor es establecido como "dependabot[bot]" para determinar si el PR es un PR legítimo. Teóricamente, un propietario de una acción aparentemente válida y legítima en la tubería puede comprobar si el PR es creado por dependabot y si su propia acción presenta suficientes permisos para modificar el PR en la tubería. Si es así, pueden modificar el PR añadiendo un segundo commit aparentemente válido y legítimo al PR, ya que pueden establecer arbitrariamente el nombre de usuario y el correo electrónico en los commits en git. Dado que el bot sólo comprueba si el actor es válido, pasaría los cambios maliciosos y fusionaría el PR automáticamente, sin que los mantenedores del proyecto dieran cuenta. Probablemente no sería posible determinar de dónde proviene el commit malicioso, ya que sólo diría "dependabot[bot]" y la dirección de correo electrónico correspondiente. La versión 3.2.0 contiene un parche para este problema

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None
Attack Vector
Network
Attack Complexity
Low
Authentication
Single
Confidentiality
None
Integrity
Partial
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2022-04-13 CVE Reserved
  • 2022-05-31 CVE Published
  • 2023-12-22 EPSS Updated
  • 2024-08-03 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-283: Unverified Ownership
  • CWE-345: Insufficient Verification of Data Authenticity
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Fastify
Search vendor "Fastify"
 Github Action Merge Dependabot
Search vendor "Fastify" for product "Github Action Merge Dependabot"
 < 3.2.0
Search vendor "Fastify" for product "Github Action Merge Dependabot" and version " < 3.2.0"
-
Affected