An attacker can execute arbitrary code in the context of a GitHub runner by creating a specially crafted GitHub issue.
This issue is patched in gajira-create version 2.0.1.
There are no known workarounds.
GitHub Security Lab advisory GHSL-2020-172
Impact
An attacker can execute arbitrary code in the context of a GitHub runner by creating a specially crafted GitHub issue.
Patches
This issue is patched in gajira-create version 2.0.1.
Workarounds
There are no known workarounds.
References
GitHub Security Lab advisory GHSL-2020-172