Beware of Expression Injection in OTClient SonarCloud Workflow

CVSScvssV3_1: 9.8

OTClient is an open source Tibia client that was found to have a vulnerability in its SonarCloud workflow. The issue allowed an attacker to execute arbitrary code on the GitHub runner used to run the analysis.

SonarCloud is a tool used to analyze code quality and security issues in code hosted on GitHub. It runs automated scans to find bugs and vulnerabilities. OTClient had configured a GitHub workflow that would trigger a SonarCloud analysis on every code change.

The vulnerability was an expression injection flaw in how external inputs were handled as part of the SonarCloud configuration. A malicious actor could craft a commit message or pull request title that contained code to be executed on the GitHub runner. This gave them remote command execution abilities on the server running the analysis.

With command execution, an attacker obtains full control of the machine running the SonarCloud workflow. They can steal API tokens and other secrets, install malware, or directly modify the code repository. This puts the security and integrity of the OTClient project at risk.

The developers have released an update addressing this issue. Users are advised to update their OTClient client as soon as possible to apply the fix. Repository owners should also carefully review any workflows or third party integrations that could potentially execute code or commands based on external inputs like commit messages or pull requests to prevent similar vulnerabilities. Performing code reviews and keeping dependencies up to date can help catch and fix issues before attackers exploit them.