CVE-2021-21423: Exposure of CVS Repository to an Unauthorized Control Sphere
(updated )
Users of projen’s NodeProject
project type (including any project type derived from it) include a .github/workflows/rebuild-bot.yml
workflow that may allow any GitHub user to trigger execution of un-trusted code in the context of the “main” repository (as opposed to that of a fork). In some situations, such untrusted code may potentially be able to commit to the “main” repository.
References
Detect and mitigate CVE-2021-21423 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →