CVE-2024-42471 Information

Description

actions/artifact is the GitHub ToolKit for developing GitHub Actions. Versions of actions/artifact before 2.1.7 are vulnerable to arbitrary file write when using downloadArtifactInternal downloadArtifactPublic or streamExtractExternal for extracting a specifically crafted artifact that contains path traversal filenames. Users are advised to upgrade to version 2.1.7 or higher. There are no known workarounds for this issue.

Reference

https://github.com/actions/toolkit/security/advisories/GHSA-6q32-hq47-5qq3 https://github.com/actions/toolkit/pull/1724 https://snyk.io/research/zip-slip-vulnerability