CVE-2023-27581
CVSS V2 None
CVSS V3 None
Description
github-slug-action is a GitHub Action to expose slug value of GitHub environment variables inside of one's GitHub workflow. Starting in version 4.0.0` and prior to version 4.4.1, this action uses the `github.head_ref` parameter in an insecure way. This vulnerability can be triggered by any user on GitHub on any workflow using the action on pull requests. They just need to create a pull request with a branch name, which can contain the attack payload. This can be used to execute code on the GitHub runners and to exfiltrate any secrets one uses in the CI pipeline. A patched action is available in version 4.4.1. No workaround is available.
Overview
- CVE ID
- CVE-2023-27581
- Assigner
- security-advisories@github.com
- Vulnerability Status
- Analyzed
- Published Version
- 2023-03-13T21:15:14
- Last Modified Date
- 2023-03-17T16:05:39
Weakness Enumerations
CPE Configuration (Product)
| CPE | Vulnerable | Operator | Version Start | Version End |
|---|---|---|---|---|
| cpe:2.3:a:github-slug-action_project:github-slug-action:*:*:*:*:*:*:*:* | 1 | OR | 4.0.0 | 4.4.1 |
References
| Reference URL | Reference Tags |
|---|---|
| https://github.com/rlespinasse/github-slug-action/commit/102b1a064a9b145e56556e22b18b19c624538d94 | Patch |
| https://github.com/rlespinasse/github-slug-action/releases/tag/v4.4.1 | Release Notes |
| https://github.com/rlespinasse/github-slug-action/security/advisories/GHSA-6q4m-7476-932w | Vendor Advisory |
| https://securitylab.github.com/research/github-actions-untrusted-input/ | Exploit Third Party Advisory |
Sources
| Source Name | Source URL |
|---|---|
| NIST | https://nvd.nist.gov/vuln/detail/CVE-2023-27581 |
| MITRE | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27581 |
History
| Created | Old Value | New Value | Data Type | Notes |
|---|---|---|---|---|
| 2023-04-17 06:22:30 | Added to TrackCVE | |||
| 2023-04-17 06:22:32 | Weakness Enumeration | new |