CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:S/C:P/I:P/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
EPSS
Percentile
64.9%
projen
is a project generation tool that synthesizes project configuration files such as package.json
, tsconfig.json
, .gitignore
, GitHub Workflows, eslint
, jest
, and more, from a well-typed definition written in JavaScript. Users of projen’s NodeProject
project type (including any project type derived from it) include a .github/workflows/rebuild-bot.yml
workflow that may allow any GitHub user to trigger execution of un-trusted code in the context of the “main” repository (as opposed to that of a fork). In some situations, such untrusted code may potentially be able to commit to the “main” repository. The rebuild-bot workflow is triggered by comments including @projen rebuild
on pull-request to trigger a re-build of the projen project, and updating the pull request with the updated files. This workflow is triggered by an issue_comment
event, and thus always executes with a GITHUB_TOKEN
belonging to the repository into which the pull-request is made (this is in contrast with workflows triggered by pull_request
events, which always execute with a GITHUB_TOKEN
belonging to the repository from which the pull-request is made). Repositories that do not have branch protection configured on their default branch (typically main
or master
) could possibly allow an untrusted user to gain access to secrets configured on the repository (such as NPM tokens, etc). Branch protection prohibits this escalation, as the managed GITHUB_TOKEN
would not be able to modify the contents of a protected branch and affected workflows must be defined on the default branch.
Vendor | Product | Version | CPE |
---|---|---|---|
projen_project | projen | * | cpe:2.3:a:projen_project:projen:*:*:*:*:*:node.js:*:* |
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:S/C:P/I:P/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
EPSS
Percentile
64.9%