CVE-2022-39326 is a code injection vulnerability classified under CWE-94 (Improper Control of Generation of Code) affecting the kartverket/github-workflows repository, specifically the reusable workflow named `run-terraform`. This repository provides shared reusable GitHub Actions workflows used to automate infrastructure provisioning and other DevOps tasks. Versions prior to 2.7.5 of this workflow are vulnerable. The flaw allows a malicious actor to craft a pull request (PR) containing a specially designed payload that, when executed by the workflow, results in arbitrary JavaScript code execution within the context of the GitHub Actions runner. This means that if an external contributor submits a PR with malicious code, and the workflow is triggered without proper validation, the attacker's code could run with the permissions granted to the workflow, potentially compromising the build environment or leaking sensitive information. The vulnerability arises from insufficient sanitization or validation of inputs used in code generation or execution steps within the workflow, enabling injection of malicious code. The issue was publicly disclosed on October 25, 2022, and fixed in version 2.7.5 of the kartverket/github-workflows. No known exploits have been reported in the wild to date. The vulnerability requires that a PR from an external user be merged or at least trigger the workflow, so it depends on the repository's contribution and CI/CD policies. The flaw impacts confidentiality and integrity primarily, as arbitrary code execution can lead to unauthorized access or modification of code and secrets within the CI environment. Availability impact is limited but possible if the injected code disrupts workflow execution. The vulnerability does not require authentication beyond the ability to submit a PR, which is often allowed in open-source or collaborative projects. User interaction is limited to the repository maintainers or automated systems that trigger the workflow upon PR submission or merging.

For European organizations using the kartverket/github-workflows, particularly the `run-terraform` reusable workflow prior to version 2.7.5, this vulnerability poses a risk of supply chain compromise through CI/CD pipelines. Attackers could inject malicious code that executes during automated infrastructure provisioning or deployment, potentially leading to unauthorized access to cloud environments, leakage of secrets (such as API keys or credentials stored in GitHub secrets), or tampering with infrastructure-as-code templates. This could result in data breaches, service disruptions, or unauthorized infrastructure changes. Organizations relying on these workflows for critical infrastructure automation are at risk of integrity violations and potential lateral movement within their environments. The impact is heightened in organizations with open or semi-open contribution models where external contributors can submit PRs that trigger workflows. European organizations in sectors with stringent data protection regulations (e.g., finance, healthcare, government) could face compliance risks if sensitive data is exposed or systems are compromised. However, the lack of known exploits in the wild and the medium severity rating suggest the threat is moderate but should not be underestimated, especially given the increasing use of GitHub Actions in DevOps pipelines.

1. Immediate upgrade: Organizations should upgrade all usages of kartverket/github-workflows to version 2.7.5 or later to eliminate the vulnerability. 2. PR review policies: Implement strict code review and validation processes for all pull requests, especially from external contributors, to detect and block malicious payloads before workflows are triggered. 3. Workflow permissions: Limit GitHub Actions workflow permissions using the principle of least privilege, restricting access to secrets and sensitive resources. 4. Use workflow approval: Configure workflows to require manual approval before running on PRs from untrusted contributors. 5. Secrets management: Avoid embedding sensitive secrets directly in workflows; use GitHub secrets with restricted access and rotate them regularly. 6. Monitoring and alerting: Enable logging and monitoring of GitHub Actions runs to detect anomalous or unexpected behavior indicative of exploitation attempts. 7. Isolate build environments: Use ephemeral or sandboxed runners to minimize impact if code injection occurs. 8. Educate developers and maintainers about the risks of code injection in CI/CD pipelines and the importance of secure workflow configurations.