The `Release PR Merged` workflow in the github repo taosdata/grafanaplugin is subject to a command injection vulnerability which allows for arbitrary code execution within the github action context due to the insecure usage of `${{ github.event.pull_request.title }}` in a bash command within the GitHub workflow. Attackers can inject malicious commands which will be executed by the workflow. This happens because `${{ github.event.pull_request.title }}` is directly passed to bash command on like 25 of the workflow. This may allow an attacker to gain access to secrets which the github action has access to or to otherwise make use of the compute resources.
Metrics
Affected Vendors & Products
References
History
No history.
MITRE
Status: PUBLISHED
Assigner: GitHub_M
Published: 2023-06-06T16:29:21.279Z
Updated: 2024-08-02T16:01:53.963Z
Reserved: 2023-05-25T21:56:51.247Z
Link: CVE-2023-34111
Vulnrichment
No data.
NVD
Status : Modified
Published: 2023-06-06T17:15:15.210
Modified: 2024-11-21T08:06:34.313
Link: CVE-2023-34111
Redhat
No data.