GitHub Action tj-actions/verify-changed-files is vulnerable to command injection in output filenames
CVE-2023-52137

7.7HIGH

Key Information:

Vendor
tj-actions
Status
verify-changed-files
Vendor
CVE Published:
29 December 2023

Summary

The tj-actions/verify-changed-files action is susceptible to command injection through user-controlled filenames. Attackers can exploit this vulnerability to execute arbitrary commands on the GitHub Runner, which can lead to unauthorized access to sensitive information such as the GITHUB_TOKEN. This occurs when input values containing special characters, like ;, are improperly handled within the run block. The issue has been resolved in versions 17 and 17.0.0 by implementing safe_output settings and ensuring that special characters in filenames are correctly escaped for bash environments.

Affected Version(s)

verify-changed-files < 17.0.0

References

https://github.com/tj-actions/verify-changed-files/securi...
x_refsource_CONFIRM
https://github.com/tj-actions/verify-changed-files/commit...
x_refsource_MISC
https://github.com/tj-actions/verify-changed-files/commit...
x_refsource_MISC

CVSS V3.1

Score:
7.7
Severity:
HIGH
Confidentiality:
High
Integrity:
Low
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.