tj-actions/changed-files command injection in output filenames
CVE-2023-51664

7.3HIGH

Key Information:

Vendor

tj-actions

Status
changed-files
Vendor
CVE Published:
27 December 2023

What is CVE-2023-51664?

The tj-actions/changed-files GitHub action, prior to version 41.0.0, is vulnerable to command injection attacks through manipulated filenames. An attacker could leverage this vulnerability to execute arbitrary commands, potentially exposing sensitive information through code execution within the GitHub Runner environment. To mitigate the risk, users should upgrade to at least version 41.0.0, where this issue has been resolved.

Affected Version(s)

changed-files < 41.0.0

References

https://github.com/tj-actions/changed-files/security/advi...
x_refsource_CONFIRM
https://github.com/tj-actions/changed-files/commit/0102c0...
x_refsource_MISC
https://github.com/tj-actions/changed-files/commit/716b1e...
x_refsource_MISC

CVSS V3.1

Score:
7.3
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.