GHSA-6Q4M-7476-932W

Vulnerability from github – Published: 2023-03-13 20:43 – Updated: 2025-02-18 22:42
VLAI
Summary
github-slug-action vulnerable to arbitrary code execution
Details

Impact

This action uses the github.head_ref parameter in an insecure way.

This vulnerability can be triggered by any user on GitHub on any workflow using the action on pull requests. They just need to create a pull request with a branch name, which can contain the attack payload. (Note that first-time PR requests will not be run - but the attacker can submit a valid PR before submitting an invalid PR). This can be used to execute code on the GitHub runners (potentially use it for crypto-mining, and waste your resources) and to exfiltrate any secrets you use in the CI pipeline.

Patches

Pass the variable as an environment variable and then use the environment variable instead of substituting it directly.

Patched action is available on tag v4, tag v4.4.1, and any tag beyond.

Workarounds

No workaround is available if impacted, please upgrade the version

ℹ️ v3 and v4 are compatibles.

References

Here is a set of blog posts by Github's security team explaining this issue.

Thanks

Thanks to the team of researchers from Purdue University, who are working on finding vulnerabilities in CI/CD configurations of open-source software. Their tool detected this security vulnerability.

Severity
8.8 (High)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "GitHub Actions",
        "name": "rlespinasse/github-slug-action"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.0.0"
            },
            {
              "fixed": "4.4.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-27581"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-77"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-03-13T20:43:33Z",
    "nvd_published_at": "2023-03-13T21:15:00Z",
    "severity": "HIGH"
  },
  "details": "### Impact\n\nThis action uses the `github.head_ref` parameter in an insecure way. \n\nThis vulnerability can be triggered by any user on GitHub on any workflow using the action on pull requests. They just need to create a pull request with a branch name, which can contain the attack payload. (Note that first-time PR requests will not be run - but the attacker can submit a valid PR before submitting an invalid PR).  This can be used to execute code on the GitHub runners (potentially use it for crypto-mining, and waste your resources) and to exfiltrate any secrets you use in the CI pipeline.\n\n### Patches\n\n\u003e Pass the variable as an environment variable and then use the environment variable instead of substituting it directly.\n\nPatched action is available on tag **v4**, tag **v4.4.1**, and any tag beyond.\n\n### Workarounds\n\nNo workaround is available if impacted, please upgrade the version\n\n\u003e \u2139\ufe0f **v3** and **v4** are compatibles.\n\n### References\n\n[Here](https://securitylab.github.com/research/github-actions-untrusted-input/) is a set of blog posts by Github\u0027s security team explaining this issue.\n\n### Thanks\n\nThanks to the team of researchers from Purdue University, who are working on finding vulnerabilities in CI/CD configurations of open-source software. Their tool detected this security vulnerability.",
  "id": "GHSA-6q4m-7476-932w",
  "modified": "2025-02-18T22:42:28Z",
  "published": "2023-03-13T20:43:33Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/rlespinasse/github-slug-action/security/advisories/GHSA-6q4m-7476-932w"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-27581"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rlespinasse/github-slug-action/commit/102b1a064a9b145e56556e22b18b19c624538d94"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/rlespinasse/github-slug-action"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rlespinasse/github-slug-action/releases/tag/v4.4.1"
    },
    {
      "type": "WEB",
      "url": "https://securitylab.github.com/research/github-actions-untrusted-input"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "github-slug-action vulnerable to arbitrary code execution"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.