4.4

CVSS Score

3.0

Basic Information

CVE ID

CVE-2024-3924

GHSA ID

GHSA-qq99-p57r-g3v7

EPSS Score

0.50434%

CWE

CWE-94

Published

6/2/2024

Updated

6/2/2024

KEV Status

Technology

Python

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-3924

CVE-2024-3924: code injection vulnerability exists in the huggingface/text-generation-inference repository

A code injection vulnerability exists in the huggingface/text-generation-inference repository, specifically within the autodocs.yml workflow file. The vulnerability arises from the insecure handling of the github.head_ref user input, which is used to dynamically construct a command for installing a software package. An attacker can exploit this by forking the repository, creating a branch with a malicious payload as the name, and then opening a pull request to the base repository. Successful exploitation could lead to arbitrary code execution within the context of the GitHub Actions runner. This issue affects versions up to and including v2.0.0 and was fixed in version 2.0.0.

(GitHub Advisory)

4.4

CVSS Score

3.0

Basic Information

CVE ID

CVE-2024-3924

GHSA ID

GHSA-qq99-p57r-g3v7

EPSS Score

0.50434%

CWE

CWE-94

Published

6/2/2024

Updated

6/2/2024

KEV Status

Technology

Python

Technical Details

CVSS Vector

CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
text-generation	pip	< 2.0.0	2.0.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability exists in the GitHub Actions workflow step that runs 'cargo install' with unsanitized user input (github.head_ref). The pre-patch code constructed the command by directly embedding the user-controlled branch name into the command string, enabling shell injection attacks. The fix introduced environment variables and proper quoting to mitigate this. While not a traditional function, in the context of CI/CD pipelines, workflow steps serve as execution units analogous to functions.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* *o** inj**tion vuln*r**ility *xists in t** *u**in*****/t*xt-**n*r*tion-in**r*n** r*pository, sp**i*i**lly wit*in t** `*uto*o*s.yml` work*low *il*. T** vuln*r**ility *ris*s *rom t** ins**ur* **n*lin* o* t** `*it*u*.****_r**` us*r input, w*i** is us*

Reasoning

T** vuln*r**ility *xists in t** *it*u* **tions work*low st*p t**t runs '**r*o inst*ll' wit* uns*nitiz** us*r input (*it*u*.****_r**). T** pr*-p*t** *o** *onstru*t** t** *omm*n* *y *ir**tly *m****in* t** us*r-*ontroll** *r*n** n*m* into t** *omm*n* st

4.4

Basic Information

Concerned about an active attack path?

CVE-2024-3924: code injection vulnerability exists in the huggingface/text-generation-inference repository

4.4

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI