CVE-2023-51664

CVSS V2 None CVSS V3 None

Description

tj-actions/changed-files is a Github action to retrieve all files and directories. Prior to 41.0.0, the `tj-actions/changed-files` workflow allows for command injection in changed filenames, allowing an attacker to execute arbitrary code and potentially leak secrets. This issue may lead to arbitrary command execution in the GitHub Runner. This vulnerability has been addressed in version 41.0.0. Users are advised to upgrade.

Overview

CVE ID
CVE-2023-51664

Assigner
GitHub_M

Vulnerability Status
PUBLISHED

Published Version
2023-12-27T16:58:31.908Z

Last Modified Date
2023-12-27T16:58:31.908Z

Weakness Enumerations

CWE	URL
CWE-77	http://cwe.mitre.org/data/definitions/77.html
CWE-74	http://cwe.mitre.org/data/definitions/74.html

References

Reference URL	Reference Tags
https://github.com/tj-actions/changed-files/security/advisories/GHSA-mcph-m25j-8j63	x_refsource_CONFIRM
https://github.com/tj-actions/changed-files/commit/0102c07446a3cad972f4afcbd0ee4dbc4b6d2d1b	x_refsource_MISC
https://github.com/tj-actions/changed-files/commit/716b1e13042866565e00e85fd4ec490e186c4a2f	x_refsource_MISC
https://github.com/tj-actions/changed-files/commit/ff2f6e6b91913a7be42be1b5917330fe442f2ede	x_refsource_MISC

Sources

Source Name	Source URL
NIST	https://nvd.nist.gov/vuln/detail/CVE-2023-51664
MITRE	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-51664

History

Created	Old Value	New Value	Data Type	Notes
2024-06-24 18:38:13				Added to TrackCVE