构件下载 on 办公AI智能小助手 https://blog.qife122.com/tags/%E6%9E%84%E4%BB%B6%E4%B8%8B%E8%BD%BD/ Recent content in 构件下载 on 办公AI智能小助手 Hugo zh-cn qife Thu, 23 Oct 2025 20:43:46 +0800 GitHub Actions下载构件漏洞:路径遍历导致任意文件写入 https://blog.qife122.com/p/github-actions%E4%B8%8B%E8%BD%BD%E6%9E%84%E4%BB%B6%E6%BC%8F%E6%B4%9E%E8%B7%AF%E5%BE%84%E9%81%8D%E5%8E%86%E5%AF%BC%E8%87%B4%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E5%86%99%E5%85%A5/ Thu, 23 Oct 2025 20:43:46 +0800 https://blog.qife122.com/p/github-actions%E4%B8%8B%E8%BD%BD%E6%9E%84%E4%BB%B6%E6%BC%8F%E6%B4%9E%E8%B7%AF%E5%BE%84%E9%81%8D%E5%8E%86%E5%AF%BC%E8%87%B4%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E5%86%99%E5%85%A5/ <h1 id="actionsdownload-artifact-存在通过构件提取实现的任意文件写入漏洞">@actions/download-artifact 存在通过构件提取实现的任意文件写入漏洞</h1> <h2 id="漏洞详情">漏洞详情</h2> <p><strong>包名</strong>: actions/download-artifact (GitHub Actions)</p> <p><strong>受影响版本</strong>: &gt;= 4.0.0, &lt; 4.1.3</p> <p><strong>已修复版本</strong>: 4.1.3</p> <h2 id="漏洞描述">漏洞描述</h2> <h3 id="影响">影响</h3> <p>在下载和提取包含路径遍历文件名的特制构件时,4.1.3之前版本的actions/download-artifact容易受到任意文件写入攻击。</p>