CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 1CVE-2023-52137 – GitHub Action tj-actions/verify-changed-files is vulnerable to command injection in output filenames
https://notcve.org/view.php?id=CVE-2023-52137
29 Dec 2023 — The [`tj-actions/verify-changed-files`](https://github.com/tj-actions/verify-changed-files) action allows for command injection in changed filenames, allowing an attacker to execute arbitrary code and potentially leak secrets. The [`verify-changed-files`](https://github.com/tj-actions/verify-changed-files) workflow returns the list of files changed within a workflow execution. This could potentially allow filenames that contain special characters such as `;` which can be used by an attacker to take over the... • https://github.com/tj-actions/verify-changed-files/commit/498d3f316f501aa72485060e8c96fde7b2014f12 • CWE-20: Improper Input Validation CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •