Description
Quest Bot is an opensource modern Discord Bot built for moderation, utilities and support. Prior to version 1.0.3, the repository has a privileged deploy workflow that runs after the unprivileged build workflow completes. The build workflow runs on pull requests, and the deploy workflow checks out the triggering workflow’s head_sha, builds that code into a Docker image, pushes it as latest, and triggers production deployment. If an attacker can open a pull request from a branch named main, the deploy workflow condition can treat the PR build as deployable and build the attacker-controlled commit in a privileged deployment context. This can result in malicious container deployment and production bot compromise. This issue has been patched in version 1.0.3.
Problem types
CWE-829: Inclusion of Functionality from Untrusted Control Sphere
Product status
References
github.com/...estbot/security/advisories/GHSA-9qf3-c86c-j346
github.com/...estbot/security/advisories/GHSA-9qf3-c86c-j346
github.com/...nization/questbot/releases/tag/questbot-v1.0.3