<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Owasp-Blt - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/owasp-blt/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Tue, 02 Jan 2024 15:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/owasp-blt/feed.xml" rel="self" type="application/rss+xml"/><item><title>OWASP BLT RCE via Malicious Pull Request</title><link>https://feed.craftedsignal.io/briefs/2024-01-owasp-blt-rce/</link><pubDate>Tue, 02 Jan 2024 15:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-owasp-blt-rce/</guid><description>OWASP BLT versions before 2.1.1 are vulnerable to remote code execution via a malicious pull request that injects code into the CI environment through the 'regenerate-migrations' workflow.</description><content:encoded><![CDATA[<p>OWASP BLT, a QA testing and vulnerability disclosure platform, is susceptible to a critical remote code execution (RCE) vulnerability (CVE-2026-40316) in versions prior to 2.1.1. The vulnerability resides in the <code>.github/workflows/regenerate-migrations.yml</code> workflow. This workflow utilizes the <code>pull_request_target</code> trigger, granting it full <code>GITHUB_TOKEN</code> write permissions. An attacker can exploit this by submitting a malicious pull request containing a specially crafted <code>website/models.py</code> file. When a maintainer applies the <code>regenerate-migrations</code> label, the workflow copies files from the untrusted pull request, specifically the <code>website/models.py</code> file, into the trusted runner workspace using <code>git show</code>. Subsequently, the workflow executes <code>python manage.py makemigrations</code>, which imports Django model modules, including the attacker-controlled <code>website/models.py</code>. This import leads to the execution of any module-level Python code within the attacker's <code>models.py</code> file. This results in arbitrary code execution within the privileged CI environment, enabling access to <code>GITHUB_TOKEN</code> and repository secrets.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker creates a malicious fork of an OWASP BLT repository running a version prior to 2.1.1.</li>
<li>The attacker crafts a <code>website/models.py</code> file containing malicious Python code designed for remote code execution, such as exfiltrating secrets or injecting a reverse shell.</li>
<li>The attacker submits a pull request to the upstream OWASP BLT repository, including the malicious <code>website/models.py</code> file.</li>
<li>A maintainer applies the <code>regenerate-migrations</code> label to the pull request, triggering the <code>.github/workflows/regenerate-migrations.yml</code> workflow.</li>
<li>The <code>git show</code> command within the workflow copies the attacker-controlled <code>website/models.py</code> file from the pull request into the runner's workspace.</li>
<li>The <code>python manage.py makemigrations</code> command is executed, which imports the Django model modules, including the malicious <code>website/models.py</code> file.</li>
<li>The attacker's malicious Python code within <code>website/models.py</code> is executed in the privileged CI environment, granting access to <code>GITHUB_TOKEN</code> and repository secrets.</li>
<li>The attacker leverages the compromised <code>GITHUB_TOKEN</code> to exfiltrate sensitive information, inject malicious code, or perform other unauthorized actions within the repository, potentially leading to a supply chain attack.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2026-40316 allows an attacker to achieve remote code execution within the OWASP BLT CI environment. This can lead to the exfiltration of sensitive information, such as API keys and credentials, potentially compromising connected systems. The attacker can also modify the repository code, inject malicious code, or even take complete control of the repository. This poses a significant risk to the integrity and security of the OWASP BLT project and its users. Given that OWASP BLT is used for QA testing and vulnerability disclosure, a successful attack could undermine trust in the platform itself, impacting numerous other projects and organizations.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Upgrade OWASP BLT to version 2.1.1 or later to patch CVE-2026-40316.</li>
<li>Implement controls to restrict the use of the <code>regenerate-migrations</code> label and require multi-factor authentication for maintainers.</li>
<li>Monitor GitHub Actions logs for suspicious activity, particularly related to the <code>regenerate-migrations</code> workflow and the execution of <code>python manage.py makemigrations</code>. Deploy the Sigma rules in this brief to your SIEM to detect suspicious activity.</li>
<li>Implement code review processes to carefully examine pull requests, especially those modifying <code>website/models.py</code> or other critical files.</li>
</ul>
]]></content:encoded><category domain="severity">critical</category><category domain="type">advisory</category><category>owasp-blt</category><category>rce</category><category>github-actions</category><category>supply-chain</category></item></channel></rss>