Skip to content

github-slug-action vulnerable to arbitrary code execution

High severity GitHub Reviewed Published Mar 13, 2023 in rlespinasse/github-slug-action • Updated Apr 16, 2024

Package

actions rlespinasse/github-slug-action (GitHub Actions)

Affected versions

>= 4.0.0, < 4.4.1

Patched versions

4.4.1

Description

Impact

This action uses the github.head_ref parameter in an insecure way.

This vulnerability can be triggered by any user on GitHub on any workflow using the action on pull requests. They just need to create a pull request with a branch name, which can contain the attack payload. (Note that first-time PR requests will not be run - but the attacker can submit a valid PR before submitting an invalid PR). This can be used to execute code on the GitHub runners (potentially use it for crypto-mining, and waste your resources) and to exfiltrate any secrets you use in the CI pipeline.

Patches

Pass the variable as an environment variable and then use the environment variable instead of substituting it directly.

Patched action is available on tag v4, tag v4.4.1, and any tag beyond.

Workarounds

No workaround is available if impacted, please upgrade the version

ℹ️ v3 and v4 are compatibles.

References

Here is a set of blog posts by Github's security team explaining this issue.

Thanks

Thanks to the team of researchers from Purdue University, who are working on finding vulnerabilities in CI/CD configurations of open-source software. Their tool detected this security vulnerability.

References

Published to the GitHub Advisory Database Mar 13, 2023
Reviewed Mar 13, 2023
Published by the National Vulnerability Database Mar 13, 2023
Last updated Apr 16, 2024

Severity

High

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS score

0.225%
(60th percentile)

Weaknesses

CVE ID

CVE-2023-27581

GHSA ID

GHSA-6q4m-7476-932w

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.