From this webpage screenshot, the following key information about the vulnerability can be obtained: 1. Vulnerability Description: - Environment Variable Injection: Litestar's workflow is triggered upon completion of the workflow, downloading and extracting an artifact generated by the triggering workflow. - Environment Variable Definition: The content of the file within the downloaded artifact is read and defined as an environment variable. - Malicious File Injection: Attackers can submit a malicious file containing malicious code, leading to the injection of malicious code into environment variables. 2. Vulnerability Impact: - Affected Versions: Versions are affected. - Fixed Versions: The vulnerability has been fixed in versions . 3. Exploitation Method: - Exploitation Steps: - Clone the repository. - Edit the file. - Create a Pull Request. - The attacker triggers the Pull Request, which activates the workflow, reads the malicious artifact, and injects the environment variable. 4. Impact: - Privilege Escalation: Attackers can gain write permissions, read metadata, and write access to Pull Requests. - Sensitive Information Disclosure: The secret will be leaked to the attacker. 5. Remediation Measures: - Validate the content of downloaded artifacts. - Prohibit adding new lines when redirecting to GITHUB_ENV. 6. Resources: - CodeQL for JavaScript - Expression injection in Actions - Keeping your GitHub Actions and workflows secure Part 2: Untrusted input - Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests 7. Disclosure Policy: - Disclosure reports are valid for 90 days; for more details, refer to the coordinated disclosure policy. This information provides a detailed description of the vulnerability’s nature, impact, and remediation steps, aiding in understanding the severity and how to implement secure fixes.