CVE-2023-52137

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2023-52137
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-52137.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2023-52137
Aliases
Published
2023-12-29T17:08:49.356Z
Modified
2026-04-02T09:45:23.475592Z
Severity
  • 7.7 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:L CVSS Calculator
Summary
GitHub Action tj-actions/verify-changed-files is vulnerable to command injection in output filenames
Details

The tj-actions/verify-changed-files action allows for command injection in changed filenames, allowing an attacker to execute arbitrary code and potentially leak secrets. The verify-changed-files workflow returns the list of files changed within a workflow execution. This could potentially allow filenames that contain special characters such as ; which can be used by an attacker to take over the GitHub Runner if the output value is used in a raw fashion (thus being directly replaced before execution) inside a run block. By running custom commands, an attacker may be able to steal secrets such as GITHUB_TOKEN if triggered on other events than pull_request.

This has been patched in versions 17 and 17.0.0 by enabling safe_output by default and returning filename paths escaping special characters for bash environments.

Database specific 
{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-20"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/52xxx/CVE-2023-52137.json"
}
References

Affected packages

Git / github.com/tj-actions/verify-changed-files

Affected ranges

Type
GIT
Repo
https://github.com/tj-actions/verify-changed-files
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
bc950d8b56b01c2c024b82bf5b8f93b685713725

Affected versions

Other
v1
v10
v11
v12
v13
v14
v15
v16
v2
v3
v4
v5
v6
v7
v8
v9
v1.*
v1.0.1
v10.*
v10.1
v11.*
v11.1
v12.*
v12.0
v13.*
v13.1
v13.2.0
v14.*
v14.0.0
v14.0.1
v14.0.2
v15.*
v15.0.0
v15.0.1
v15.0.2
v16.*
v16.0.0
v16.0.1
v16.1.0
v16.1.1
v2.*
v2.0a
v3.*
v3.0.1
v3.0.2
v3.0.3
v3.0.4
v3.0.a
v3.0.alpha
v3.0.b
v3.0.beta
v3.0.g
v3.0.gamma
v5.*
v5.1
v5.2
v5.3
v5.4
v5.5
v5.6
v5.7
v6.*
v6.1
v6.2
v7.*
v7.1
v7.2
v8.*
v8.1
v8.2
v8.3
v8.4
v8.5
v8.6
v8.7
v8.8
v9.*
v9.1
v9.2

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-52137.json"