github-slug-action is a GitHub Action to expose slug value of GitHub environment variables inside of one's GitHub workflow. Starting in version 4.0.0and prior to version 4.4.1, this action uses thegithub.head_ref` parameter in an insecure way. This vulnerability can be triggered by any user on GitHub on any workflow using the action on pull requests. They just need to create a pull request with a branch name, which can contain the attack payload. This can be used to execute code on the GitHub runners and to exfiltrate any secrets one uses in the CI pipeline. A patched action is available in version 4.4.1. No workaround is available.
{
"cwe_ids": [
"CWE-77"
],
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/27xxx/CVE-2023-27581.json",
"cna_assigner": "GitHub_M"
}{
"cpe": "cpe:2.3:a:github-slug-action_project:github-slug-action:*:*:*:*:*:*:*:*",
"extracted_events": [
{
"introduced": "4.0.0"
},
{
"fixed": "4.4.1"
}
],
"source": [
"AFFECTED_FIELD",
"CPE_RANGE",
"REFERENCES"
]
}