Lucene search

[email protected]CVE-2023-52137

HistoryDec 29, 2023 - 5:16 p.m.

CVE-2023-52137

2023-12-2917:16:07

CWE-77

CWE-20

[email protected]

web.nvd.nist.gov

cve

2023

52137

command injection

code execution

secrets leak

tj-actions/verify-changed-files

github runner

github actions

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

9 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

23.3%

JSON

The tj-actions/verify-changed-files action allows for command injection in changed filenames, allowing an attacker to execute arbitrary code and potentially leak secrets. The verify-changed-files workflow returns the list of files changed within a workflow execution. This could potentially allow filenames that contain special characters such as ; which can be used by an attacker to take over the GitHub Runner if the output value is used in a raw fashion (thus being directly replaced before execution) inside a run block. By running custom commands, an attacker may be able to steal secrets such as GITHUB_TOKEN if triggered on other events than pull_request.

This has been patched in versions 17 and 17.0.0 by enabling safe_output by default and returning filename paths escaping special characters for bash environments.

Affected configurations

Vulners

NVD

Node

tj-actionsverify-changed-filesRange<17.0.0

VendorProductVersionCPE
tj\-actionsverify\-changed\-files*cpe:2.3:a:tj\-actions:verify\-changed\-files:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
tj\-actions	verify\-changed\-files	*	cpe:2.3:a:tj\-actions:verify\-changed\-files::::::::

CNA Affected

[
  {
    "vendor": "tj-actions",
    "product": "verify-changed-files",
    "versions": [
      {
        "version": "< 17.0.0",
        "status": "affected"
      }
    ]
  }
]