8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
0.001 Low
EPSS
Percentile
45.3%
This action uses the github.head_ref
parameter in an insecure way.
This vulnerability can be triggered by any user on GitHub on any workflow using the action on pull requests. They just need to create a pull request with a branch name, which can contain the attack payload. (Note that first-time PR requests will not be run - but the attacker can submit a valid PR before submitting an invalid PR). This can be used to execute code on the GitHub runners (potentially use it for crypto-mining, and waste your resources) and to exfiltrate any secrets you use in the CI pipeline.
> Pass the variable as an environment variable and then use the environment variable instead of substituting it directly.
Patched action is available on tag v4, tagv4.4.1, and any tag beyond.
No workaround is available if impacted, please upgrade the version
> âšī¸ v3 andv4 are compatibles.
Here is a set of blog posts by Githubâs security team explaining this issue.
Thanks to the team of researchers from Purdue University, who are working on finding vulnerabilities in CI/CD configurations of open-source software. Their tool detected this security vulnerability.
github.com/rlespinasse/github-slug-action
github.com/rlespinasse/github-slug-action/commit/102b1a064a9b145e56556e22b18b19c624538d94
github.com/rlespinasse/github-slug-action/releases/tag/v4.4.1
github.com/rlespinasse/github-slug-action/security/advisories/GHSA-6q4m-7476-932w
nvd.nist.gov/vuln/detail/CVE-2023-27581
securitylab.github.com/research/github-actions-untrusted-input