{"id":"PYSEC-2021-111","details":"`projen` is a project generation tool that synthesizes project configuration files such as `package.json`, `tsconfig.json`, `.gitignore`, GitHub Workflows, `eslint`, `jest`, and more, from a well-typed definition written in JavaScript. Users of projen's `NodeProject` project type (including any project type derived from it) include a `.github/workflows/rebuild-bot.yml` workflow that may allow any GitHub user to trigger execution of un-trusted code in the context of the \"main\" repository (as opposed to that of a fork). In some situations, such untrusted code may potentially be able to commit to the \"main\" repository. The rebuild-bot workflow is triggered by comments including `@projen rebuild` on pull-request to trigger a re-build of the projen project, and updating the pull request with the updated files. This workflow is triggered by an `issue_comment` event, and thus always executes with a `GITHUB_TOKEN` belonging to the repository into which the pull-request is made (this is in contrast with workflows triggered by `pull_request` events, which always execute with a `GITHUB_TOKEN` belonging to the repository from which the pull-request is made). Repositories that do not have branch protection configured on their default branch (typically `main` or `master`) could possibly allow an untrusted user to gain access to secrets configured on the repository (such as NPM tokens, etc). Branch protection prohibits this escalation, as the managed `GITHUB_TOKEN` would not be able to modify the contents of a protected branch and affected workflows must be defined on the default branch.","aliases":["CVE-2021-21423","GHSA-gg2g-m5wc-vccq"],"modified":"2023-11-08T04:04:45.525339Z","published":"2021-04-06T19:15:00Z","references":[{"type":"ADVISORY","url":"https://github.com/projen/projen/security/advisories/GHSA-gg2g-m5wc-vccq"},{"type":"FIX","url":"https://github.com/projen/projen/commit/36030c6a4b1acd0054673322612e7c70e9446643"},{"type":"WEB","url":"https://www.npmjs.com/package/projen"}],"affected":[{"package":{"name":"projen","ecosystem":"PyPI","purl":"pkg:pypi/projen"},"ranges":[{"type":"GIT","repo":"https://github.com/projen/projen","events":[{"introduced":"0"},{"fixed":"36030c6a4b1acd0054673322612e7c70e9446643"}]},{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0.16.41"}]}],"versions":["0.14.0","0.14.1","0.14.10","0.14.2","0.14.3","0.14.4","0.14.5","0.14.6","0.14.7","0.14.8","0.14.9","0.15.0","0.15.1","0.15.10","0.15.11","0.15.12","0.15.13","0.15.14","0.15.15","0.15.16","0.15.17","0.15.18","0.15.2","0.15.3","0.15.4","0.15.5","0.15.6","0.15.7","0.15.8","0.15.9","0.16.0","0.16.1","0.16.10","0.16.11","0.16.12","0.16.13","0.16.14","0.16.15","0.16.16","0.16.17","0.16.18","0.16.19","0.16.2","0.16.20","0.16.21","0.16.22","0.16.23","0.16.24","0.16.25","0.16.26","0.16.27","0.16.28","0.16.29","0.16.3","0.16.30","0.16.31","0.16.32","0.16.33","0.16.34","0.16.35","0.16.36","0.16.37","0.16.38","0.16.39","0.16.4","0.16.40","0.16.5","0.16.7","0.16.8","0.16.9"],"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/projen/PYSEC-2021-111.yaml"}}],"schema_version":"1.7.3"}