{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/owasp/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-40316"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["OWASP BLT"],"_cs_severities":["critical"],"_cs_tags":["owasp-blt","rce","github-actions","supply-chain"],"_cs_type":"advisory","_cs_vendors":["OWASP"],"content_html":"\u003cp\u003eOWASP BLT, a QA testing and vulnerability disclosure platform, is susceptible to a critical remote code execution (RCE) vulnerability (CVE-2026-40316) in versions prior to 2.1.1. The vulnerability resides in the \u003ccode\u003e.github/workflows/regenerate-migrations.yml\u003c/code\u003e workflow. This workflow utilizes the \u003ccode\u003epull_request_target\u003c/code\u003e trigger, granting it full \u003ccode\u003eGITHUB_TOKEN\u003c/code\u003e write permissions. An attacker can exploit this by submitting a malicious pull request containing a specially crafted \u003ccode\u003ewebsite/models.py\u003c/code\u003e file. When a maintainer applies the \u003ccode\u003eregenerate-migrations\u003c/code\u003e label, the workflow copies files from the untrusted pull request, specifically the \u003ccode\u003ewebsite/models.py\u003c/code\u003e file, into the trusted runner workspace using \u003ccode\u003egit show\u003c/code\u003e. Subsequently, the workflow executes \u003ccode\u003epython manage.py makemigrations\u003c/code\u003e, which imports Django model modules, including the attacker-controlled \u003ccode\u003ewebsite/models.py\u003c/code\u003e. This import leads to the execution of any module-level Python code within the attacker's \u003ccode\u003emodels.py\u003c/code\u003e file. This results in arbitrary code execution within the privileged CI environment, enabling access to \u003ccode\u003eGITHUB_TOKEN\u003c/code\u003e and repository secrets.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker creates a malicious fork of an OWASP BLT repository running a version prior to 2.1.1.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a \u003ccode\u003ewebsite/models.py\u003c/code\u003e file containing malicious Python code designed for remote code execution, such as exfiltrating secrets or injecting a reverse shell.\u003c/li\u003e\n\u003cli\u003eThe attacker submits a pull request to the upstream OWASP BLT repository, including the malicious \u003ccode\u003ewebsite/models.py\u003c/code\u003e file.\u003c/li\u003e\n\u003cli\u003eA maintainer applies the \u003ccode\u003eregenerate-migrations\u003c/code\u003e label to the pull request, triggering the \u003ccode\u003e.github/workflows/regenerate-migrations.yml\u003c/code\u003e workflow.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003egit show\u003c/code\u003e command within the workflow copies the attacker-controlled \u003ccode\u003ewebsite/models.py\u003c/code\u003e file from the pull request into the runner's workspace.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003epython manage.py makemigrations\u003c/code\u003e command is executed, which imports the Django model modules, including the malicious \u003ccode\u003ewebsite/models.py\u003c/code\u003e file.\u003c/li\u003e\n\u003cli\u003eThe attacker's malicious Python code within \u003ccode\u003ewebsite/models.py\u003c/code\u003e is executed in the privileged CI environment, granting access to \u003ccode\u003eGITHUB_TOKEN\u003c/code\u003e and repository secrets.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the compromised \u003ccode\u003eGITHUB_TOKEN\u003c/code\u003e to exfiltrate sensitive information, inject malicious code, or perform other unauthorized actions within the repository, potentially leading to a supply chain attack.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-40316 allows an attacker to achieve remote code execution within the OWASP BLT CI environment. This can lead to the exfiltration of sensitive information, such as API keys and credentials, potentially compromising connected systems. The attacker can also modify the repository code, inject malicious code, or even take complete control of the repository. This poses a significant risk to the integrity and security of the OWASP BLT project and its users. Given that OWASP BLT is used for QA testing and vulnerability disclosure, a successful attack could undermine trust in the platform itself, impacting numerous other projects and organizations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade OWASP BLT to version 2.1.1 or later to patch CVE-2026-40316.\u003c/li\u003e\n\u003cli\u003eImplement controls to restrict the use of the \u003ccode\u003eregenerate-migrations\u003c/code\u003e label and require multi-factor authentication for maintainers.\u003c/li\u003e\n\u003cli\u003eMonitor GitHub Actions logs for suspicious activity, particularly related to the \u003ccode\u003eregenerate-migrations\u003c/code\u003e workflow and the execution of \u003ccode\u003epython manage.py makemigrations\u003c/code\u003e. Deploy the Sigma rules in this brief to your SIEM to detect suspicious activity.\u003c/li\u003e\n\u003cli\u003eImplement code review processes to carefully examine pull requests, especially those modifying \u003ccode\u003ewebsite/models.py\u003c/code\u003e or other critical files.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T15:00:00Z","date_published":"2024-01-02T15:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-owasp-blt-rce/","summary":"OWASP BLT versions before 2.1.1 are vulnerable to remote code execution via a malicious pull request that injects code into the CI environment through the 'regenerate-migrations' workflow.","title":"OWASP BLT RCE via Malicious Pull Request","url":"https://feed.craftedsignal.io/briefs/2024-01-owasp-blt-rce/"}],"language":"en","title":"CraftedSignal Threat Feed - OWASP","version":"https://jsonfeed.org/version/1.1"}