Impact
Versions of actions/artifact before 2.1.7 are vulnerable to arbitrary file write when using downloadArtifactInternal, downloadArtifactPublic, or streamExtractExternal for extracting a specifically crafted artifact that contains path traversal filenames.
Patches
Upgrade to version 2.1.7 or higher.
References
CVE
CVE-2024-42471
Credits
Justin Taft from Google
Impact
Versions of
actions/artifactbefore 2.1.7 are vulnerable to arbitrary file write when usingdownloadArtifactInternal,downloadArtifactPublic, orstreamExtractExternalfor extracting a specifically crafted artifact that contains path traversal filenames.Patches
Upgrade to version 2.1.7 or higher.
References
CVE
CVE-2024-42471
Credits
Justin Taft from Google