First published: Mon Mar 13 2023(Updated: )
### Impact This action uses the `github.head_ref` parameter in an insecure way. This vulnerability can be triggered by any user on GitHub on any workflow using the action on pull requests. They just need to create a pull request with a branch name, which can contain the attack payload. (Note that first-time PR requests will not be run - but the attacker can submit a valid PR before submitting an invalid PR). This can be used to execute code on the GitHub runners (potentially use it for crypto-mining, and waste your resources) and to exfiltrate any secrets you use in the CI pipeline. ### Patches > Pass the variable as an environment variable and then use the environment variable instead of substituting it directly. Patched action is available on tag **v4**, tag **v4.4.1**, and any tag beyond. ### Workarounds No workaround is available if impacted, please upgrade the version > ℹ️ **v3** and **v4** are compatibles. ### References [Here](https://securitylab.github.com/research/github-actions-untrusted-input/) is a set of blog posts by Github's security team explaining this issue. ### Thanks Thanks to the team of researchers from Purdue University, who are working on finding vulnerabilities in CI/CD configurations of open-source software. Their tool detected this security vulnerability.
Credit: security-advisories@github.com security-advisories@github.com
Affected Software | Affected Version | How to fix |
---|---|---|
actions/rlespinasse/github-slug-action | >=4.0.0<4.4.1 | 4.4.1 |
Github-slug-action Project Github-slug-action | >=4.0.0<4.4.1 |
https://github.com/rlespinasse/github-slug-action/commit/102b1a064a9b145e56556e22b18b19c624538d94
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
This vulnerability allows any user on GitHub to trigger a vulnerability in workflows that use the `github.head_ref` parameter, by creating a pull request with a branch name containing an attack payload.
This vulnerability can be exploited by creating a pull request with a branch name that contains an attack payload.
The `rlespinasse/github-slug-action` package version 4.0.0 to 4.4.1 is affected by this vulnerability.
The severity score of CVE-2023-27581 is 8.8 (high).
To remediate CVE-2023-27581, update the `rlespinasse/github-slug-action` package to version 4.4.1 or later.