Researchers have disclosed a vulnerability to Microsoft’s GitHub team detailing an issue with GitHub Actions allowing an unprivileged user with write access to bypass peer-review, which could allow for malicious code to be committed to the main branch. This event may compromise the pipeline and allow malicious code to execute in production software.
GitHub Actions is a default feature used to build and run workflows to manage software development. Even those with only write privileges can change workflows, therefore admin privileges are not needed to exploit this vulnerability. Users are able to modify the GITHUB_TOKEN and as the action is run, the GitHub-Actions bot acts as the organization member approval, allowing the code to be committed.