CVE-2023-51664
tj-actions/changed-files command injection in output filenames
In short
A GitHub action that lists changed files had a flaw where specially crafted filenames could execute arbitrary commands on the runner, potentially exposing secrets or compromising the build process.
Technical detail
CWE-74/CWE-77 command injection vulnerability in tj-actions/changed-files prior to 41.0.0 allows arbitrary code execution via malicious filenames in workflow runs. Attack vector requires an attacker to introduce specially crafted filenames in the repository; impact includes unauthorized command execution and potential secret exposure in the GitHub Actions environment.
Summary generated and translated by AI from the official description.
tj-actions/changed-files is a Github action to retrieve all files and directories. Prior to 41.0.0, the `tj-actions/changed-files` workflow allows for command injection in changed filenames, allowing an attacker to execute arbitrary code and potentially leak secrets. This issue may lead to arbitrary command execution in the GitHub Runner. This vulnerability has been addressed in version 41.0.0. Users are advised to upgrade.
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
Affected products
tj-actions · changed-filesWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
https://github.com/tj-actions/changed-files/commit/0102c07446a3cad972f4afcbd0ee4dbc4b6d2d1bhttps://github.com/tj-actions/changed-files/commit/716b1e13042866565e00e85fd4ec490e186c4a2fhttps://github.com/tj-actions/changed-files/commit/ff2f6e6b91913a7be42be1b5917330fe442f2edehttps://github.com/tj-actions/changed-files/security/advisories/GHSA-mcph-m25j-8j63