CVE-2023-27581: Command Injection
First published: Mon Mar 13 2023(Updated: )
### Impact This action uses the `github.head_ref` parameter in an insecure way. This vulnerability can be triggered by any user on GitHub on any workflow using the action on pull requests. They just need to create a pull request with a branch name, which can contain the attack payload. (Note that first-time PR requests will not be run - but the attacker can submit a valid PR before submitting an invalid PR). This can be used to execute code on the GitHub runners (potentially use it for crypto-mining, and waste your resources) and to exfiltrate any secrets you use in the CI pipeline. ### Patches > Pass the variable as an environment variable and then use the environment variable instead of substituting it directly. Patched action is available on tag **v4**, tag **v4.4.1**, and any tag beyond. ### Workarounds No workaround is available if impacted, please upgrade the version > ℹ️ **v3** and **v4** are compatibles. ### References [Here](https://securitylab.github.com/research/github-actions-untrusted-input/) is a set of blog posts by Github's security team explaining this issue. ### Thanks Thanks to the team of researchers from Purdue University, who are working on finding vulnerabilities in CI/CD configurations of open-source software. Their tool detected this security vulnerability.
Credit: security-advisories@github.com security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| actions/rlespinasse/github-slug-action | >=4.0.0<4.4.1 | 4.4.1 |
| Github-slug-action Project Github-slug-action | >=4.0.0<4.4.1 |
Remedy
https://github.com/rlespinasse/github-slug-action/commit/102b1a064a9b145e56556e22b18b19c624538d94
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/rlespinasse/github-slug-action/commit/102b1a064a9b145e56556e22b18b19c624538d94
- https://github.com/rlespinasse/github-slug-action/releases/tag/v4.4.1
- https://github.com/rlespinasse/github-slug-action/security/advisories/GHSA-6q4m-7476-932w
- https://securitylab.github.com/research/github-actions-untrusted-input/
Frequently Asked Questions
What is the impact of CVE-2023-27581?
This vulnerability allows any user on GitHub to trigger a vulnerability in workflows that use the `github.head_ref` parameter, by creating a pull request with a branch name containing an attack payload.
How can CVE-2023-27581 be exploited?
This vulnerability can be exploited by creating a pull request with a branch name that contains an attack payload.
What software is affected by CVE-2023-27581?
The `rlespinasse/github-slug-action` package version 4.0.0 to 4.4.1 is affected by this vulnerability.
What is the severity score of CVE-2023-27581?
The severity score of CVE-2023-27581 is 8.8 (high).
How can CVE-2023-27581 be remediated?
To remediate CVE-2023-27581, update the `rlespinasse/github-slug-action` package to version 4.4.1 or later.
- collector/nvd-index
- agent/author
- agent/type
- agent/softwarecombine
- agent/first-publish-date
- agent/references
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-6q4m-7476-932w
- alias/CVE-2023-27581
- agent/software-canonical-lookup
- agent/weakness
- agent/severity
- agent/remedy
- agent/last-modified-date
- agent/description
- agent/event
- collector/nvd-cve
- source/NVD
- agent/tags
- collector/github-advisory
- vendor/github-slug-action project
- canonical/github-slug-action project github-slug-action
- version/github-slug-action project github-slug-action/4.0.0
- package-manager/actions