GHSA-rvp7-w75q-9fv2LowCVSS 2.2
BBOT: Symlink-Following Arbitrary Write via github_workflows Module
🔗 CVE IDs covered (1)
📋 Description
The github_workflows module constructs local directory paths from user-controlled repository names without validating for symlinks. A local attacker sharing the scan directory can plant a symlink at the predictable output path, causing workflow data to be written to an attacker-chosen location.
🎯 Affected products1
- pip/bbot:>= 2.0.0, <= 2.8.4