Postiz is an AI social media scheduling tool. Prior to commit da44801, a "Pwn Request" vulnerability in the Build and Publish PR Docker Image workflow (.github/workflows/pr-docker-build.yml) allows any unauthenticated user to execute arbitrary code during the Docker build process and exfiltrate a highly privileged GITHUB_TOKEN (write-all permissions). This can be achieved simply by opening a Pull Request from a fork with a maliciously modified Dockerfile.dev. This issue has been patched via commit da44801.
A GitHub Actions workflow named 'Build and Publish PR Docker Image' (.github/workflows/pr-docker-build.yml) runs automatically in response to Pull Requests from external repository forks. An attacker can open a Pull Request from a fork where they have maliciously modified the Dockerfile.dev file. During automatic Docker image building in the context of the victim's repository, the injected code is executed with access to the GITHUB_TOKEN environment variable that has write-all permissions for all resources. This allows token exfiltration and further actions within the repository context.
An attacker can execute arbitrary code in the CI/CD environment, steal the GITHUB_TOKEN with write-all permissions, and then modify source code, publish malicious packages, manipulate releases, or gain access to repository secrets.
The repository should be updated to a version containing commit da44801, which removes the vulnerable workflow configuration. Details available in the vendor's security advisory: GHSA-v975-9h5p-xhm4
Postiz application (postiz-app) in versions before commit da44801 — affects instances using the vulnerable GitHub Actions workflow (.github/workflows/pr-docker-build.yml)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:HGitroom Postiz
APPGitroom< 2.21.7
Related vulnerabilities
Postiz is an AI social media scheduling tool. From version 2.21.6 to before version 2.21.7, any authenticated ...
Postiz is an AI social media scheduling tool. Prior to version 2.21.6, a file upload validation bypass allows ...
Postiz is an AI social media scheduling tool. Prior to 2.21.5, the /api/public/stream endpoint is vulnerable t...
Postiz is an AI social media scheduling tool. Prior to version 2.21.3, the POST /public/v1/upload-from-url end...
Postiz is an AI social media scheduling tool. Prior to version 2.21.3, the GET /public/stream endpoint in Publ...