NextCloud Cookbook's pull-checks.yml workflow is vulnerable to OS Command Injection
CVE-2023-31128

8.8HIGH

Key Information:

Vendor

nextcloud
Status
cookbook
Vendor
CVE Published:
26 May 2023

What is CVE-2023-31128?

The NextCloud Cookbook application is susceptible to command injection due to the use of an untrusted input field (github.head_ref). This vulnerability allows an attacker to leverage the pull-checks.yml workflow to execute arbitrary commands, potentially compromising the repository's integrity. Specifically, the injection can occur by manipulating the github.head_ref field, fostering unauthorized write access to the repository. This issue has been addressed in recent commits on both the master and main-0.9.x branches. Users managing forks of the NextCloud Cookbook are advised to update to the latest versions to fortify against such attacks.

Affected Version(s)

cookbook master < a46d9855 < master a46d9855

cookbook main-0.9.x < 489bb744 < main-0.9.x 489bb744

References

https://github.com/nextcloud/cookbook/security/advisories...
x_refsource_CONFIRM
https://github.com/nextcloud/cookbook/commit/489bb744
x_refsource_MISC
https://github.com/nextcloud/cookbook/commit/a46d98559e2c...
x_refsource_MISC

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.