GitHub_MCVELIST:CVE-2023-52137CVE-2023-52137 GitHub Action tj-actions/verify-changed-files is vulnerable to command injection in output filenames
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
LOW
Availability Impact
LOW
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:L
AI Score
Confidence
High
EPSS
Percentile
32.9%
The tj-actions/verify-changed-files action allows for command injection in changed filenames, allowing an attacker to execute arbitrary code and potentially leak secrets. The verify-changed-files workflow returns the list of files changed within a workflow execution. This could potentially allow filenames that contain special characters such as ; which can be used by an attacker to take over the GitHub Runner if the output value is used in a raw fashion (thus being directly replaced before execution) inside a run block. By running custom commands, an attacker may be able to steal secrets such as GITHUB_TOKEN if triggered on other events than pull_request.
This has been patched in versions 17 and 17.0.0 by enabling safe_output by default and returning filename paths escaping special characters for bash environments.
CNA Affected
[
{
"vendor": "tj-actions",
"product": "verify-changed-files",
"versions": [
{
"version": "< 17.0.0",
"status": "affected"
}
]
}
]Related
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
LOW
Availability Impact
LOW
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:L
AI Score
Confidence
High
EPSS
Percentile
32.9%