GitHub_MCVELIST:CVE-2023-26493CVE-2023-26493 Command Injection in Cocos Engine workflow
8.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
9.4 High
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
49.3%
Cocos Engine is an open-source framework for building 2D & 3D real-time rendering and interactive content. In the github repo for Cocos Engine the web-interface-check.yml was subject to command injection. The web-interface-check.yml was triggered when a pull request was opened or updated and contained the user controllable field (${{ github.head_ref }} β the name of the forkβs branch). This would allow an attacker to take over the GitHub Runner and run custom commands (potentially stealing secrets such as GITHUB_TOKEN) and altering the repository. The workflow has since been removed for the repository. There are no actions required of users.
CNA Affected
[
{
"vendor": "cocos",
"product": "cocos-engine",
"versions": [
{
"version": "< 6d06aefa26",
"status": "affected"
}
]
}
]Related
8.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
9.4 High
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
49.3%