Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
githubGitHub Advisory DatabaseGHSA-GHM2-RQ8Q-WRHC
HistoryJan 02, 2024 - 4:42 p.m.

Potential Actions command injection in output filenames (GHSL-2023-275)

2024-01-0216:42:27
CWE-20
CWE-77
GitHub Advisory Database
github.com
9
command injection
output filenames
arbitrary code
github runner
secrets
special characters
pull request
environment variables
secure workflow

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

8.4 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

23.3%

JSON

Summary

The tj-actions/verify-changed-files action allows for command injection in changed filenames, allowing an attacker to execute arbitrary code and potentially leak secrets.

Details

The verify-changed-files workflow returns the list of files changed within a workflow execution.

This could potentially allow filenames that contain special characters such as ; and ` (backtick) which can be used by an attacker to take over the GitHub Runner if the output value is used in a raw fashion (thus being directly replaced before execution) inside a run block. By running custom commands an attacker may be able to steal secrets such as GITHUB_TOKEN if triggered on other events than pull_request. For example on push.

Proof of Concept

  1. Submit a pull request to the repository with a new file injecting a command. For example $(whoami).txt would be a valid filename.
  2. Upon approval of the workflow (triggered by the pull request), the action will get executed and the malicious pull request filename will flow into the List all changed files tracked and untracked files step.
- name: List all changed files tracked and untracked files
  run: |
    echo "Changed files: ${{ steps.verify-changed-files.outputs.changed_files }}"

Example output:

##[group]Run echo "Changed files: $(whoami).txt"
  echo "Changed files: $(whoami).txt"
shell: /usr/bin/bash -e {0}
##[endgroup]
Changed files: runner.txt

Impact

This issue may lead to arbitrary command execution in the GitHub Runner.

Resolution

  • A new safe_output input would be enabled by default and return filename paths escaping special characters like ;, ` (backtick), $, (), etc for bash environments.

  • A safe recommendation of using environment variables to store unsafe outputs.

- name: List all changed files tracked and untracked files
  env:
     CHANGED_FILES: ${{ steps.verify-changed-files.outputs.changed_files }}
  run: |
    echo "Changed files: $CHANGED_FILES"

Resources

Affected configurations

Vulners
Node
tj-actionsverify-changed-filesRange<17
CPENameOperatorVersion
tj-actions/verify-changed-fileslt17

Related

nvd 1
osv 2
cvelist 1
cve 1
prion 1
nvd
nvd
CVE-2023-52137
2023-12-29 17:16:07
osv
osv
CVE-2023-52137
2023-12-29 17:16:07
Potential Actions command injection in output filenames (GHSL-2023-275)
2024-01-02 16:42:27
cvelist
cvelist
CVE-2023-52137 GitHub Action tj-actions/verify-changed-files is vulnerable to command injection in output filenames
2023-12-29 17:08:49
cve
cve
CVE-2023-52137
2023-12-29 17:16:07
prion
prion
Command injection
2023-12-29 17:16:00

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

8.4 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

23.3%

JSON
Related for GHSA-GHM2-RQ8Q-WRHC
nvd1osv2cvelist1cve1prion1