CVE-2023-52137
GitHub Action tj-actions/verify-changed-files is vulnerable to command injection in output filenames
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
1Exploited in Wild
-Decision
Descriptions
The [`tj-actions/verify-changed-files`](https://github.com/tj-actions/verify-changed-files) action allows for command injection in changed filenames, allowing an attacker to execute arbitrary code and potentially leak secrets. The [`verify-changed-files`](https://github.com/tj-actions/verify-changed-files) workflow returns the list of files changed within a workflow execution. This could potentially allow filenames that contain special characters such as `;` which can be used by an attacker to take over the [GitHub Runner](https://docs.github.com/en/actions/using-github-hosted-runners/about-github-hosted-runners) if the output value is used in a raw fashion (thus being directly replaced before execution) inside a `run` block. By running custom commands, an attacker may be able to steal secrets such as `GITHUB_TOKEN` if triggered on other events than `pull_request`.
This has been patched in versions [17](https://github.com/tj-actions/verify-changed-files/releases/tag/v17) and [17.0.0](https://github.com/tj-actions/verify-changed-files/releases/tag/v17.0.0) by enabling `safe_output` by default and returning filename paths escaping special characters for bash environments.
La acción [`tj-actions/verify-changed-files`](https://github.com/tj-actions/verify-changed-files) permite la inyección de comandos en nombres de archivos modificados, lo que permite a un atacante ejecutar código arbitrario y potencialmente filtrar secretos. El workflow [`verify-changed-files`](https://github.com/tj-actions/verify-changed-files) devuelve la lista de archivos modificados dentro de una ejecución de flujo de trabajo. Potencialmente, esto podría permitir nombres de archivos que contengan caracteres especiales como `;` que un atacante puede utilizar para hacerse cargo de [GitHub Runner](https://docs.github.com/en/actions/using-github-hosted- runners/about-github-hosted-runners) si el valor de salida se usa sin formato (por lo tanto, se reemplaza directamente antes de la ejecución) dentro de un bloque "run". Al ejecutar comandos personalizados, un atacante puede robar secretos como `GITHUB_TOKEN` si se activan en otros eventos distintos de `pull_request`. Esto ha sido parcheado en las versiones [17](https://github.com/tj-actions/verify-changed-files/releases/tag/v17) y [17.0.0](https://github.com/tj -actions/verify-changed-files/releases/tag/v17.0.0) habilitando `safe_output` de forma predeterminada y devolviendo rutas de nombres de archivos que escapan de caracteres especiales para entornos bash.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2023-12-28 CVE Reserved
- 2023-12-29 CVE Published
- 2024-08-02 CVE Updated
- 2024-08-02 First Exploit
- 2024-11-04 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-20: Improper Input Validation
- CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')
CAPEC
References (3)
| URL | Tag | Source |
|---|
| URL | Date | SRC |
|---|---|---|
| https://github.com/tj-actions/verify-changed-files/security/advisories/GHSA-ghm2-rq8q-wrhc | 2024-08-02 |
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Tj-actions Search vendor "Tj-actions" | Verify-changed-files Search vendor "Tj-actions" for product "Verify-changed-files" | < 17.0.0 Search vendor "Tj-actions" for product "Verify-changed-files" and version " < 17.0.0" | github |
Affected
| ||||||