7.3

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-cxww-7g56-2vh6

GHSA-cxww-7g56-2vh6: @actions/download-artifact has an Arbitrary File Write via artifact extraction

Impact

Versions of actions/download-artifact before 4.1.3 are vulnerable to arbitrary file write when downloading and extracting a specifically crafted artifact that contains path traversal filenames.

Patches

Upgrade to version 4.1.3 or higher. Alternatively use 'v4' tag which points to the latest and secure version.

References

https://snyk.io/research/zip-slip-vulnerability
https://github.com/actions/download-artifact/releases/tag/v4.1.3
https://github.com/actions/download-artifact/pull/299

CVE

CVE-2024-42471

Credits

Justin Taft from Google

(GitHub Advisory)

Miggo Vulnerability Database

→

GHSA-cxww-7g56-2vh6

GHSA-cxww-7g56-2vh6:

7.3

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
actions/download-artifact	actions	>= 4.0.0, < 4.1.3	4.1.3

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from improper path validation during artifact extraction. The advisory references the Zip Slip vulnerability pattern (CWE-22) and links to fixes in @actions/artifact. The functions downloadArtifactInternal, downloadArtifactPublic, and streamExtractExternal in the @actions/artifact package (a dependency of actions/download-artifact) were identified as vulnerable. These functions handle artifact downloading and extraction without proper path sanitization, allowing path traversal. The confidence is high as the advisory explicitly mentions these functions and their fixes in the patched versions.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

7.3

-

Basic Information

Basic Information

Concerned about an active attack path?

GHSA-cxww-7g56-2vh6: @actions/download-artifact has an Arbitrary File Write via artifact extraction

Impact

Patches

References

CVE

Credits

GHSA-cxww-7g56-2vh6:

7.3

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Technical Details

Basic Information

Basic Information

GHSA-cxww-7g56-2vh6: @actions/download-artifact has an Arbitrary File Write via artifact extraction

Impact

Patches

References

CVE

Credits

7.3

7.3

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI