Hacker Newsnew | past | comments | ask | show | jobs | submitlogin
Important information about your GitHub account
2 points by kasdi on May 25, 2023 | hide | past | favorite
Hi xxx,

We're writing to let you know that we were recently made aware of a bug that allowed users using fine-grained personal access tokens (PATs) with repository `read and write` permissions to bypass the workflow permission that checked the ability to access and edit an Actions file via the git command line interface (cli).

* What happened? *

When accessing a repository using git over HTTPS with a [fine-grained personal access token](https://github.blog/2022-10-18-introducing-fine-grained-personal-access-tokens-for-github/) scoped with `Contents - Read and write`, the `Workflow` permission of the token was not properly checked before allowing the creation or modification of Action workflows. This would allow an actor to modify workflows, allowing them to potentially use the Actions $GITHUB_TOKEN to elevate their permissions within the repository beyond the `Contents - Read and write` permission of the token. More information about the Actions $GITHUB_TOKEN is available here:

https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token

This bug did not provide users access to any repositories to which they didn't already have access. It was limited to workflows within repositories they could already access.

* What information was involved? * Workflows in repositories owned by your personal account may have been affected by this issue.

The criteria used to determine the repositories and workflows that were potentially affected: - Repository write changes made using a fine-grained PAT via the git cli - Repositories which had workflow runs - The changes above were made within the length of time the bug was present which is: October 1, 2022 to February 27, 2023 1am PDT

We were not able to find: - If the git operations made actually changed workflow files - If the fine-grained PAT used had the workflow scope at the time

The following repositories and workflows were potentially affected:

xxx/yyy

* What GitHub is doing * GitHub was made aware of the issue on January 20, 2023. We immediately began work on addressing the bug and fixed the flaw on February 27, 2023, as well as made further preventative hardening.

* What you should do *

We recommend to check all workflow files, especially on the default branches of your repositories for any unexpected or unknown changes.

More information on how to list repository workflows and verify update and creation times can be found in our documentation located here: https://docs.github.com/en/rest/actions/workflows?apiVersion=2022-11-28

If you have any specific concerns, you may contact our support team by submitting a message through our contact form: https://github.com/contact?form%5Bsubject%5D=Re:Reference+GH-0013136-5553-3&tags=GH-0013136-5553-2.

Thanks, GitHub Security



Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: