CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
Low
EPSS
Percentile
71.6%
The tj-actions/changed-files
workflow allows for command injection in changed filenames, allowing an attacker to execute arbitrary code and potentially leak secrets.
The changed-files
action returns a list of files changed in a commit or pull request which provides an escape_json
input enabled by default, only escapes "
for JSON values.
This could potentially allow filenames that contain special characters such as ;
and ` (backtick) which can be used by an attacker to take over the GitHub Runner if the output value is used in a raw fashion (thus being directly replaced before execution) inside a run
block. By running custom commands an attacker may be able to steal secrets such as GITHUB_TOKEN
if triggered on other events than pull_request
. For example on push
.
$(whoami).txt
which is a valid filename.List all changed files
step below. - name: List all changed files
run: |
for file in ${{ steps.changed-files.outputs.all_changed_files }}; do
echo "$file was changed"
done
Example output:
##[group]Run for file in $(whoami).txt; do
for file in $(whoami).txt; do
echo "$file was changed"
done
shell: /usr/bin/bash -e {0}
##[endgroup]
runner.txt was changed
This issue may lead to arbitrary command execution in the GitHub Runner.
A new safe_output
input would be enabled by default and return filename paths escaping special characters like ;, ` (backtick), $, (), etc for bash environments.
A safe recommendation of using environment variables to store unsafe outputs.
- name: List all changed files
env:
ALL_CHANGED_FILES: ${{ steps.changed-files.outputs.all_changed_files }}
run: |
for file in "$ALL_CHANGED_FILES"; do
echo "$file was changed"
done
github.com/tj-actions/changed-files
github.com/tj-actions/changed-files/commit/0102c07446a3cad972f4afcbd0ee4dbc4b6d2d1b
github.com/tj-actions/changed-files/commit/716b1e13042866565e00e85fd4ec490e186c4a2f
github.com/tj-actions/changed-files/commit/ff2f6e6b91913a7be42be1b5917330fe442f2ede
github.com/tj-actions/changed-files/security/advisories/GHSA-mcph-m25j-8j63
nvd.nist.gov/vuln/detail/CVE-2023-51664
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
Low
EPSS
Percentile
71.6%