The open-source platform GitHub has fixed a security flaw that was detected by Google more than three months ago that affected the GitHub Actions feature.
Engineer Felix Wilhelm of Project Zero, Google's team of cybersecurity analysts, first reported a bug on GitHub on July 21, which he described as a "high severity" bug.
The flaw affected the platform's Actions functions, a tool that facilitates the automation of all 'software' workflows and that Wilhelm said was " highly vulnerable to injection attacks ."
Injection attacks are those in which attackers add malicious SQL code to the database taking advantage of a flaw, allowing them to access an account or modify data.
Project Zero makes public the bugs it finds 90 days after reporting it and two days before the limit was met, GitHub requested an additional 14 days to disable the vulnerable commands that Google accepted.
However, a day before it went public, GitHub noted that it would not disable the commands and asked for an additional 48 hours not to fix the problem, but to alert customers.
Finally, Project Zero released the details of the bug 104 days after reporting the issue to the platform and GitHub disabled the vulnerable commands two weeks ago.