CVE-2023-49291 - OpenCVE

tj-actions/branch-names is a Github action to retrieve branch or tag names with support for all events. The `tj-actions/branch-names` GitHub Actions improperly references the `github.event.pull_request.head.ref` and `github.head_ref` context variables within a GitHub Actions `run` step. The head ref variable is the branch name and can be used to execute arbitrary code using a specially crafted branch name. As a result an attacker can use this vulnerability to steal secrets from or abuse `GITHUB_TOKEN` permissions. This vulnerability has been addressed in version 7.0.7. Users are advised to upgrade. There are no known workarounds for this vulnerability.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Tj-actions	Branch-names

Configuration 1 [-]

OR	cpe:2.3:a:tj-actions:branch-names::::::::
	cpe:2.3:a:tj-actions:branch-names::::::::

No data.

References

Link	Providers
https://github.com/tj-actions/branch-names/commit/4923d1ca41f928c24f1c1b3af9daaadfb71e6337
https://github.com/tj-actions/branch-names/commit/6c999acf206f5561e19f46301bb310e9e70d8815
https://github.com/tj-actions/branch-names/commit/726fe9ba5e9da4fcc716223b7994ffd0358af060
https://github.com/tj-actions/branch-names/security/advisories/GHSA-8v8w-v8xg-79rf
https://securitylab.github.com/research/github-actions-untrusted-input

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2023-12-04T23:21:33.367Z

Updated: 2024-08-02T21:53:44.957Z

Reserved: 2023-11-24T16:45:24.313Z

Link: CVE-2023-49291

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2023-12-05T00:15:09.403

Modified: 2023-12-08T17:24:26.643

Link: CVE-2023-49291

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-49291", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-11-24T16:45:24.313Z", "datePublished": "2023-12-04T23:21:33.367Z", "dateUpdated": "2024-08-02T21:53:44.957Z"}, "containers": {"cna": {"title": "Improper Sanitization of Branch Name Leads to Arbitrary Code Injection", "problemTypes": [{"descriptions": [{"cweId": "CWE-20", "lang": "en", "description": "CWE-20: Improper Input Validation", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/tj-actions/branch-names/security/advisories/GHSA-8v8w-v8xg-79rf", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/tj-actions/branch-names/security/advisories/GHSA-8v8w-v8xg-79rf"}, {"name": "https://github.com/tj-actions/branch-names/commit/4923d1ca41f928c24f1c1b3af9daaadfb71e6337", "tags": ["x_refsource_MISC"], "url": "https://github.com/tj-actions/branch-names/commit/4923d1ca41f928c24f1c1b3af9daaadfb71e6337"}, {"name": "https://github.com/tj-actions/branch-names/commit/6c999acf206f5561e19f46301bb310e9e70d8815", "tags": ["x_refsource_MISC"], "url": "https://github.com/tj-actions/branch-names/commit/6c999acf206f5561e19f46301bb310e9e70d8815"}, {"name": "https://github.com/tj-actions/branch-names/commit/726fe9ba5e9da4fcc716223b7994ffd0358af060", "tags": ["x_refsource_MISC"], "url": "https://github.com/tj-actions/branch-names/commit/726fe9ba5e9da4fcc716223b7994ffd0358af060"}, {"name": "https://securitylab.github.com/research/github-actions-untrusted-input", "tags": ["x_refsource_MISC"], "url": "https://securitylab.github.com/research/github-actions-untrusted-input"}], "affected": [{"vendor": "tj-actions", "product": "branch-names", "versions": [{"version": "< 7.0.7", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-12-04T23:21:33.367Z"}, "descriptions": [{"lang": "en", "value": "tj-actions/branch-names is a Github action to retrieve branch or tag names with support for all events. The `tj-actions/branch-names` GitHub Actions improperly references the `github.event.pull_request.head.ref` and `github.head_ref` context variables within a GitHub Actions `run` step. The head ref variable is the branch name and can be used to execute arbitrary code using a specially crafted branch name. As a result an attacker can use this vulnerability to steal secrets from or abuse `GITHUB_TOKEN` permissions. This vulnerability has been addressed in version 7.0.7. Users are advised to upgrade. There are no known workarounds for this vulnerability."}], "source": {"advisory": "GHSA-8v8w-v8xg-79rf", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T21:53:44.957Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/tj-actions/branch-names/security/advisories/GHSA-8v8w-v8xg-79rf", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/tj-actions/branch-names/security/advisories/GHSA-8v8w-v8xg-79rf"}, {"name": "https://github.com/tj-actions/branch-names/commit/4923d1ca41f928c24f1c1b3af9daaadfb71e6337", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/tj-actions/branch-names/commit/4923d1ca41f928c24f1c1b3af9daaadfb71e6337"}, {"name": "https://github.com/tj-actions/branch-names/commit/6c999acf206f5561e19f46301bb310e9e70d8815", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/tj-actions/branch-names/commit/6c999acf206f5561e19f46301bb310e9e70d8815"}, {"name": "https://github.com/tj-actions/branch-names/commit/726fe9ba5e9da4fcc716223b7994ffd0358af060", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/tj-actions/branch-names/commit/726fe9ba5e9da4fcc716223b7994ffd0358af060"}, {"name": "https://securitylab.github.com/research/github-actions-untrusted-input", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://securitylab.github.com/research/github-actions-untrusted-input"}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:tj-actions:branch-names:*:*:*:*:*:*:*:*", "matchCriteriaId": "4AB0A58B-E056-49E3-9CD4-063AF78D1ECB", "versionEndExcluding": "7.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:tj-actions:branch-names:*:*:*:*:*:*:*:*", "matchCriteriaId": "04A7066A-CDAB-4C39-AD1F-87ADAF23495A", "versionEndExcluding": "7.0.7", "versionStartIncluding": "7.0.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "tj-actions/branch-names is a Github action to retrieve branch or tag names with support for all events. The `tj-actions/branch-names` GitHub Actions improperly references the `github.event.pull_request.head.ref` and `github.head_ref` context variables within a GitHub Actions `run` step. The head ref variable is the branch name and can be used to execute arbitrary code using a specially crafted branch name. As a result an attacker can use this vulnerability to steal secrets from or abuse `GITHUB_TOKEN` permissions. This vulnerability has been addressed in version 7.0.7. Users are advised to upgrade. There are no known workarounds for this vulnerability."}, {"lang": "es", "value": "tj-actions/branch-names es una acci\u00f3n de Github para recuperar nombres de ramas o etiquetas con soporte para todos los eventos. Las GitHub Actions `tj-actions/branch-names` hacen referencia incorrectamente a las variables de contexto `github.event.pull_request.head.ref` y `github.head_ref` dentro de un paso de `ejecuci\u00f3n` de GitHub Actions. La variable head ref es el nombre de la rama y se puede usar para ejecutar c\u00f3digo arbitrario usando un nombre de rama especialmente manipulado. Como resultado, un atacante puede utilizar esta vulnerabilidad para robar secretos o abusar de los permisos \"GITHUB_TOKEN\". Esta vulnerabilidad se ha solucionado en la versi\u00f3n 7.0.7. Se recomienda a los usuarios que actualicen. No se conocen workarounds para esta vulnerabilidad."}], "id": "CVE-2023-49291", "lastModified": "2023-12-08T17:24:26.643", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.7, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2023-12-05T00:15:09.403", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/tj-actions/branch-names/commit/4923d1ca41f928c24f1c1b3af9daaadfb71e6337"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/tj-actions/branch-names/commit/6c999acf206f5561e19f46301bb310e9e70d8815"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/tj-actions/branch-names/commit/726fe9ba5e9da4fcc716223b7994ffd0358af060"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/tj-actions/branch-names/security/advisories/GHSA-8v8w-v8xg-79rf"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://securitylab.github.com/research/github-actions-untrusted-input"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-20"}], "source": "security-advisories@github.com", "type": "Secondary"}]}