3 matches found
CVE-2023-31128 NextCloud Cookbook's pull-checks.yml workflow is vulnerable to OS Command Injection
NextCloud Cookbook is a recipe library app. Prior to commit a46d9855 on the master branch and commit 489bb744 on the main-0.9.x branch, the pull-checks.yml workflow is vulnerable to command injection attacks because of using an untrusted github.headref field. The github.headref value is an...
CVE-2023-31128 NextCloud Cookbook's pull-checks.yml workflow is vulnerable to OS Command Injection
NextCloud Cookbook is a recipe library app. Prior to commit a46d9855 on the master branch and commit 489bb744 on the main-0.9.x branch, the pull-checks.yml workflow is vulnerable to command injection attacks because of using an untrusted github.headref field. The github.headref value is an...
CVE-2023-31128
Summary: CVE-2023-31128 concerns NextCloud Cookbook’s pull-checks.yml workflow, where an untrusted github.head_ref value can be attacker-controlled, enabling command injection via a crafted value (e.g., zzz";echo${IFS}"hello";#). The issue, stemming from a lack of input validation in the workflow...