Techly NewsGet the app

Get the latest tech news

Zizmor would have caught the Ultralytics workflow vulnerability


Dec 6, 2024 Tags: oss, security TL;DR: zizmor would have caught the vulnerability that caused this…mostly. Read on for details.

It flags.github/workflows/format.yml:7:1 as using a fundamentally insecure trigger ( pull_request_target); It flags other sources of template/code injection in the Ultralytics workflows, including identical uses of the git pull <template expression> pattern that made their custom action exploitable. The attacker obtained code execution in the parent ( ultralytics/ultralytics) CI context via an insecure workflow trigger ( pull_request_target) combined with a template injection in a custom composite GitHub Action. From this point on, the repository should be considered to be compromised: the attacker is assumed to have access to everything in the secrets context, including any GitHub PATs and the PyPI API token (which was not in use, since Ultralytics had switched to Trusted Publishing).

Get the Android app

Or read this on Hacker News

Read more on:

Photo of Zizmor

Zizmor

Photo of Ultralytics

Ultralytics

« SP1: A performant, 100% open-source, contributor-friendly zkVM
Linux EFI Zboot Abandoning "Compression Library Museum", Focusing On Gzip & Zstd »