CVE-2022-46179 CRITICAL

CVE-2022-46179: LiuOS vulnerable to Authorization Bypass through User-Controlled Key

Vendor Liuwoodscode
Product LiuOS
Weakness CWE-639 · IDOR
Published December 28, 2022
Last update April 14, 2025

CVSS base score

9.2/10
Attack vector Local
Attack complexity Low
Privileges required None
User interaction None
Confidentiality Low
Integrity High

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H

What the vulnerability does

01Description

LiuOS is a small Python project meant to imitate the functions of a regular operating system. Version 0.1.0 and prior of LiuOS allow an attacker to set the GITHUB_ACTIONS environment variable to anything other than null or true and skip authentication checks. This issue is patched in the latest commit (c658b4f3e57258acf5f6207a90c2f2169698ae22) by requiring the var to be set to true, causing a test script to run instead of being able to login. A potential workaround is to check for the GITHUB_ACTIONS environment variable and set it to "" (no quotes) to null the variable and force credential checks.

Key dates

02Disclosure timeline

December 28, 2022 CVE published
April 14, 2025 Record updated