Code-Injection Bugs Attack Google, Apache Open Source GitHub Projects


Two security flaws were found in the GitHub environments of two highly well-known open source projects from Google and Apache that might be used to slyly alter the project’s source code, steal information, and move around an organization.

Researchers from Legit Security discovered the holes affecting a Google Firebase project and a well-known integration framework project run by Apache. They are continuous integration/continuous delivery (CI/CD) flaws that potentially endanger many more open source projects worldwide. The vulnerability pattern was given the name “GitHub Environment Injection” by researchers.

By writing a specially crafted payload to a GitHub environment variable called “GITHUB ENV,” it enables attackers to take over a vulnerable project’s GitHub Actions pipeline.

Read More: Code-Injection Bugs Bite Google, Apache Open Source GitHub Projects

For more such updates follow us on Google News ITsecuritywire News