Code-Injection Vulnerabilities: Google, Apache Open Source GitHub Projects

The insecurities exist in continuous integration and continuous delivery (CI/CD) pipelines and can be used by attackers to subvert modern development and roll out malicious code at deployment.

Security vulnerabilities discovered in the GitHub environments of two very popular open source projects from Apache and Google which could be used to stealthily modify project source code, steal secrets, and move laterally inside an organization.

Researchers dubbed the vulnerability "GitHub Environment Injection." It allows attackers to take control of a vulnerable project's GitHub Actions pipeline by creating a specially crafted payload written to a GitHub environment variable called "GITHUB_ENV."

The flaws manifest both a design weakness in the way that the GitHub platform is designed and how different open source projects and enterprises use the platform. Enterprise development teams should always assume zero trust with GitHub Action and other build systems.