CVE-2023-27581

2023-03-1321:15:14

CWE-77

[email protected]

web.nvd.nist.gov

cve-2023-27581

github action

environment variable

security vulnerability

github workflow

code execution

information exfiltration

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

8.8 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

45.3%

JSON

github-slug-action is a GitHub Action to expose slug value of GitHub environment variables inside of one’s GitHub workflow. Starting in version 4.0.0and prior to version 4.4.1, this action uses thegithub.head_ref` parameter in an insecure way. This vulnerability can be triggered by any user on GitHub on any workflow using the action on pull requests. They just need to create a pull request with a branch name, which can contain the attack payload. This can be used to execute code on the GitHub runners and to exfiltrate any secrets one uses in the CI pipeline. A patched action is available in version 4.4.1. No workaround is available.

Affected configurations

Vulners

NVD

Node

rlespinassegithub_slug_actionRange4.0.0–4.4.1

CPENameOperatorVersion
github-slug-action_project:github-slug-actiongithub-slug-action project github-slug-actionlt4.4.1

CPE	Name	Operator	Version
github-slug-action_project:github-slug-action	github-slug-action project github-slug-action	lt	4.4.1

CNA Affected

[
  {
    "vendor": "rlespinasse",
    "product": "github-slug-action",
    "versions": [
      {
        "version": ">= 4.0.0, < 4.4.1",
        "status": "affected"
      }
    ]
  }
]