RCE in Step-security Harden-runner

CVE-2024-52587

StepSecurity's Harden-Runner provides network egress filtering and runtime security for GitHub-hosted and self-hosted runners. Versions of step-security/harden-runner prior to v2.10.2 contain multiple command injection weaknesses via envir…

Vulnerability class: Command Injection (OS Command Injection)

EPSS: 0.020 (84.0th percentile) — read the EPSS interpretation.

Affected products

Step-security Harden-runner — versions < 2.10.2

Weakness classification (CWE)

CWE-78 — OS Command Injection

References

https://github.com/step-security/harden-runner/security/advisories/GHSA-g85v-wf27-67xc (x_refsource_CONFIRM)
https://github.com/step-security/harden-runner/commit/0080882f6c36860b6ba35c610c98ce87d4e2f26f (x_refsource_MISC)
https://github.com/step-security/harden-runner/blob/951b48540b429070694bc8abd82fd6901eb123ca/src/arc-runner.ts#L40-L44 (x_refsource_MISC)
https://github.com/step-security/harden-runner/blob/951b48540b429070694bc8abd82fd6901eb123ca/src/arc-runner.ts#L53 (x_refsource_MISC)
https://github.com/step-security/harden-runner/blob/951b48540b429070694bc8abd82fd6901eb123ca/src/arc-runner.ts#L57 (x_refsource_MISC)
https://github.com/step-security/harden-runner/blob/951b48540b429070694bc8abd82fd6901eb123ca/src/arc-runner.ts#L61 (x_refsource_MISC)
https://github.com/step-security/harden-runner/blob/951b48540b429070694bc8abd82fd6901eb123ca/src/setup.ts#L169 (x_refsource_MISC)
https://github.com/step-security/harden-runner/blob/951b48540b429070694bc8abd82fd6901eb123ca/src/setup.ts#L229 (x_refsource_MISC)