CVE-2023-52137

The [`tj-actions/verify-changed-files`](https://github.com/tj-actions/verify-changed-files) action allows for command injection in changed filenames, allowing an attacker to execute arbitrary code and potentially leak secrets. The [`verify-changed-files`](https://github.com/tj-actions/verify-changed-files) workflow returns the list of files changed within a workflow execution. This could potentially allow filenames that contain special characters such as `;` which can be used by an attacker to take over the [GitHub Runner](https://docs.github.com/en/actions/using-github-hosted-runners/about-github-hosted-runners) if the output value is used in a raw fashion (thus being directly replaced before execution) inside a `run` block. By running custom commands, an attacker may be able to steal secrets such as `GITHUB_TOKEN` if triggered on other events than `pull_request`. This has been patched in versions [17](https://github.com/tj-actions/verify-changed-files/releases/tag/v17) and [17.0.0](https://github.com/tj-actions/verify-changed-files/releases/tag/v17.0.0) by enabling `safe_output` by default and returning filename paths escaping special characters for bash environments.

CVSS v3 8.8 HIGH

8.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/tj-actions/verify-changed-files/commit/498d3f316f501aa72485060e8c96fde7b2014f12	Patch
https://github.com/tj-actions/verify-changed-files/commit/592e305da041c09a009afa4a43c97d889bed65c3	Patch
https://github.com/tj-actions/verify-changed-files/security/advisories/GHSA-ghm2-rq8q-wrhc	Exploit Mitigation Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:tj-actions:verify-changed-files:*:*:*:*:*:github:*:*

History

29 Dec 2023, 19:28

Type	Values Removed	Values Added
New CVE

Information

Published : 2023-12-29 17:16

Updated : 2024-02-05 00:22

NVD link : CVE-2023-52137

Mitre link : CVE-2023-52137

CVE.ORG link : CVE-2023-52137

JSON object : View

Products Affected

tj-actions

verify-changed-files

CWE

CWE-77

Improper Neutralization of Special Elements used in a Command ('Command Injection')

CWE-20

Improper Input Validation

{"id": "CVE-2023-52137", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}, {"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.3, "exploitabilityScore": 1.8}]}, "published": "2023-12-29T17:16:07.560", "references": [{"url": "https://github.com/tj-actions/verify-changed-files/commit/498d3f316f501aa72485060e8c96fde7b2014f12", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/tj-actions/verify-changed-files/commit/592e305da041c09a009afa4a43c97d889bed65c3", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/tj-actions/verify-changed-files/security/advisories/GHSA-ghm2-rq8q-wrhc", "tags": ["Exploit", "Mitigation", "Third Party Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-77"}]}, {"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-20"}]}], "descriptions": [{"lang": "en", "value": "The [`tj-actions/verify-changed-files`](https://github.com/tj-actions/verify-changed-files) action allows for command injection in changed filenames, allowing an attacker to execute arbitrary code and potentially leak secrets. The [`verify-changed-files`](https://github.com/tj-actions/verify-changed-files) workflow returns the list of files changed within a workflow execution. This could potentially allow filenames that contain special characters such as `;` which can be used by an attacker to take over the [GitHub Runner](https://docs.github.com/en/actions/using-github-hosted-runners/about-github-hosted-runners) if the output value is used in a raw fashion (thus being directly replaced before execution) inside a `run` block. By running custom commands, an attacker may be able to steal secrets such as `GITHUB_TOKEN` if triggered on other events than `pull_request`.\n\nThis has been patched in versions [17](https://github.com/tj-actions/verify-changed-files/releases/tag/v17) and [17.0.0](https://github.com/tj-actions/verify-changed-files/releases/tag/v17.0.0) by enabling `safe_output` by default and returning filename paths escaping special characters for bash environments."}, {"lang": "es", "value": "La acci\u00f3n [`tj-actions/verify-changed-files`](https://github.com/tj-actions/verify-changed-files) permite la inyecci\u00f3n de comandos en nombres de archivos modificados, lo que permite a un atacante ejecutar c\u00f3digo arbitrario y potencialmente filtrar secretos. El workflow [`verify-changed-files`](https://github.com/tj-actions/verify-changed-files) devuelve la lista de archivos modificados dentro de una ejecuci\u00f3n de flujo de trabajo. Potencialmente, esto podr\u00eda permitir nombres de archivos que contengan caracteres especiales como `;` que un atacante puede utilizar para hacerse cargo de [GitHub Runner](https://docs.github.com/en/actions/using-github-hosted- runners/about-github-hosted-runners) si el valor de salida se usa sin formato (por lo tanto, se reemplaza directamente antes de la ejecuci\u00f3n) dentro de un bloque \"run\". Al ejecutar comandos personalizados, un atacante puede robar secretos como `GITHUB_TOKEN` si se activan en otros eventos distintos de `pull_request`. Esto ha sido parcheado en las versiones [17](https://github.com/tj-actions/verify-changed-files/releases/tag/v17) y [17.0.0](https://github.com/tj -actions/verify-changed-files/releases/tag/v17.0.0) habilitando `safe_output` de forma predeterminada y devolviendo rutas de nombres de archivos que escapan de caracteres especiales para entornos bash."}], "lastModified": "2024-01-10T16:59:18.837", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:tj-actions:verify-changed-files:*:*:*:*:*:github:*:*", "vulnerable": true, "matchCriteriaId": "05164557-E263-4CD7-BEBE-6E7EAA93AECE", "versionEndExcluding": "17.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}