Skip to content

Fix permissions for check-run action#122

Merged
mandreko-bitwarden merged 2 commits into
mainfrom
vuln-252-check-run-least-priv
Jun 9, 2025
Merged

Fix permissions for check-run action#122
mandreko-bitwarden merged 2 commits into
mainfrom
vuln-252-check-run-least-priv

Conversation

@mandreko-bitwarden
Copy link
Copy Markdown
Contributor

@mandreko-bitwarden mandreko-bitwarden commented Jun 6, 2025

Ticket

Description

Further restrict permissions to check-run, to prevent abuse of github tokens

@mandreko-bitwarden mandreko-bitwarden requested a review from a team as a code owner June 6, 2025 14:31
@github-actions
Copy link
Copy Markdown

github-actions Bot commented Jun 6, 2025

Logo
Checkmarx One – Scan Summary & Detailsb0794733-59e8-4644-bbbb-7f0cda403e36

New Issues (5)

Checkmarx found the following issues in this Pull Request

Severity Issue Source File / Package Checkmarx Insight
CRITICAL CVE-2025-31651 Maven-org.apache.tomcat.embed:tomcat-embed-core-10.1.12
detailsRecommended version: 10.1.41
Description: Improper Neutralization of Escape, Meta, or Control Sequences vulnerability was found within Apache Tomcat. For a subset of unlikely rewrite rule c...
Attack Vector: NETWORK
Attack Complexity: LOW

ID: 4PEQzDsKk6MuPVMoBJRSj%2F2EuFgGS4BC7x7CvZ3Q3mU%3D
Vulnerable Package
HIGH CVE-2024-13009 Maven-org.eclipse.jetty:jetty-server-9.4.49.v20220914
detailsRecommended version: 9.4.57.v20241219
Description: In Eclipse Jetty versions 9.4.0.M0 prior to 9.4.57.v20241219, a buffer may be incorrectly released when a gzip error occurs during the inflation of...
Attack Vector: NETWORK
Attack Complexity: LOW

ID: HTexkfRE53xuMtOE6%2BjnWDy4lyL0WaRD2aGggWyULDY%3D
Vulnerable Package
HIGH CVE-2025-1948 Maven-org.eclipse.jetty.http2:http2-common-9.4.49.v20220914
detailsDescription: In Eclipse Jetty, an HTTP/2 client can specify a very large value for the HTTP/2 settings parameter "SETTINGS_MAX_HEADER_LIST_SIZE". The Jetty HTTP...
Attack Vector: NETWORK
Attack Complexity: LOW

ID: mraOxV9huyiL0BSrtZADe6rlK1nOwdt7bZNHKG%2FiHrU%3D
Vulnerable Package
HIGH CVE-2025-31650 Maven-org.apache.tomcat.embed:tomcat-embed-core-10.1.12
detailsRecommended version: 10.1.41
Description: Improper Input Validation vulnerability was found in Apache Tomcat. Incorrect error handling for some invalid HTTP priority headers resulted in inc...
Attack Vector: NETWORK
Attack Complexity: LOW

ID: H%2BhMlTz3P7ZiXrAivAAW8hYRtQdc2Evno%2BfUwWQbJog%3D
Vulnerable Package
HIGH CVE-2025-46701 Maven-org.apache.tomcat.embed:tomcat-embed-core-10.1.12
detailsRecommended version: 10.1.41
Description: Improper Handling of Case Sensitivity vulnerability in Apache Tomcat's GCI servlet allows security constraint bypass of security constraints that a...
Attack Vector: NETWORK
Attack Complexity: LOW

ID: rY7fQoi7RmCHCf73jYXr%2BLBZe5S2kF%2FA3%2F%2FYprL9gE8%3D
Vulnerable Package

abergs
abergs previously approved these changes Jun 7, 2025
View reviewed changes
@mandreko-bitwarden mandreko-bitwarden force-pushed the vuln-252-check-run-least-priv branch from a6efbe0 to d0458a7 Compare June 9, 2025 13:36
@mandreko-bitwarden mandreko-bitwarden requested a review from abergs June 9, 2025 13:41
@mandreko-bitwarden mandreko-bitwarden merged commit d7f37a1 into main Jun 9, 2025
3 checks passed
@mandreko-bitwarden mandreko-bitwarden deleted the vuln-252-check-run-least-priv branch June 9, 2025 18:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@abergs abergs abergs approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@mandreko-bitwarden @abergs