8.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
9.4 High
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
49.3%
Cocos Engine is an open-source framework for building 2D & 3D real-time rendering and interactive content. In the github repo for Cocos Engine the web-interface-check.yml
was subject to command injection. The web-interface-check.yml
was triggered when a pull request was opened or updated and contained the user controllable field (${{ github.head_ref }} β the name of the forkβs branch)
. This would allow an attacker to take over the GitHub Runner and run custom commands (potentially stealing secrets such as GITHUB_TOKEN) and altering the repository. The workflow has since been removed for the repository. There are no actions required of users.
[
{
"vendor": "cocos",
"product": "cocos-engine",
"versions": [
{
"version": "< 6d06aefa26",
"status": "affected"
}
]
}
]
8.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
9.4 High
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
49.3%