TEL AVIV, Israel, April 12, 2022 (GLOBE NEWSWIRE) — Legit Security, a cyber security company with an enterprise SaaS platform to secure an organization’s software supply chain, today announced the responsible disclosure of recently found GitHub-Actions pipeline privilege escalation vulnerabilities. These vulnerabilities open the door to software supply chain attacks where an attacker could take control of an organization’s software build process to disrupt internal operations or embed attacker-controlled code or backdoors in software that puts downstream customers at risk. Earlier this year, Legit Security announced a free Rapid Risk Assessment for organizations to obtain immediate insight into broader vulnerabilities across their software supply chain, including this most recent issue. In response to this specific GitHub issue, Legit Security has published a technical disclosure blog on their website which includes detailed guidance for organizations to remediate it.
The vulnerabilities were discovered in GitHub-Actions workflows, which is the software build service of the extremely popular GitHub source code management system at the heart of many organization’s…
