8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.4 High
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
23.1%
The tj-actions/verify-changed-files
action allows for command injection in changed filenames, allowing an attacker to execute arbitrary code and potentially leak secrets.
The verify-changed-files
workflow returns the list of files changed within a workflow execution.
This could potentially allow filenames that contain special characters such as ;
and ` (backtick) which can be used by an attacker to take over the GitHub Runner if the output value is used in a raw fashion (thus being directly replaced before execution) inside a run
block. By running custom commands an attacker may be able to steal secrets such as GITHUB_TOKEN
if triggered on other events than pull_request
. For example on push
.
$(whoami).txt
would be a valid filename.List all changed files tracked and untracked files
step.- name: List all changed files tracked and untracked files
run: |
echo "Changed files: ${{ steps.verify-changed-files.outputs.changed_files }}"
Example output:
##[group]Run echo "Changed files: $(whoami).txt"
echo "Changed files: $(whoami).txt"[0m
shell: /usr/bin/bash -e {0}
##[endgroup]
Changed files: runner.txt
This issue may lead to arbitrary command execution in the GitHub Runner.
A new safe_output
input would be enabled by default and return filename paths escaping special characters like ;, ` (backtick), $, (), etc for bash environments.
A safe recommendation of using environment variables to store unsafe outputs.
- name: List all changed files tracked and untracked files
env:
CHANGED_FILES: ${{ steps.verify-changed-files.outputs.changed_files }}
run: |
echo "Changed files: $CHANGED_FILES"
github.com/tj-actions/verify-changed-files
github.com/tj-actions/verify-changed-files/commit/498d3f316f501aa72485060e8c96fde7b2014f12
github.com/tj-actions/verify-changed-files/commit/592e305da041c09a009afa4a43c97d889bed65c3
github.com/tj-actions/verify-changed-files/security/advisories/GHSA-ghm2-rq8q-wrhc
nvd.nist.gov/vuln/detail/CVE-2023-52137
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.4 High
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
23.1%