Beware! AutomataCI Release Jobs Can Reset Git Repositories to First Commit

CVECVE-2023-42798
CVSScvssV3_1: 8.2
SourceCVE-2023-42798

AutomataCI is an open source continuous integration tool that is used by many developers to automate the build, test, and deployment processes. Unfortunately, a vulnerability was discovered in versions 1.4.1 and below that could allow a malicious actor to compromise release jobs.

The issue lies in how AutomataCI handles git repositories during the release process. When creating releases, it is supposed to clone the code from the main repository into a releases folder. However, due to a bug, it was possible for a bad actor to trick the release job into resetting the entire git repository back to the first commit.

This essentially wipes out all code changes and reverts the repository back to the initial version. Imagine the damage this could cause for any project actively using AutomataCI for releases! All current code and features would be lost.

Luckily, the developers were quickly notified and released version 1.5.0 with a fix. As a precaution, users are advised to manually verify their release directories are separate cloned repositories, rather than symlinks back to the main code. This prevents any reset from affecting the primary codebase.

If you use AutomataCI in your development or deployment process, be sure to upgrade to the latest version immediately and double check your release folders. Taking a few minutes now could save you from major headaches down the road. Stay safe out there!

References