Summary
The command injection vulnerability allows for arbitrary code execution due to the insecure usage of ${{ github.event.pull_request.title }} in a bash command within the GitHub workflow.
Details
Attackers can inject malicious commands which will be executed by the workflow. This happens because ${{ github.event.pull_request.title }} is directly passed to bash command (link).
PoC
Refer to the blog post by Github Security Lab for details on how to exploit the vulnerability.
Impact
This command injection vulnerability poses a significant security risk as it allows an attacker to execute arbitrary commands within the context of the workflow. For example, if the GITHUB_TOKEN with a read/write scope is exfiltrated by the attacker, they gain the ability to push malicious code into the repository, among other privileges.
argusSecurityBot Tool
R3x Finder
souragc Finder
Summary
The command injection vulnerability allows for arbitrary code execution due to the insecure usage of
${{ github.event.pull_request.title }}in a bash command within the GitHub workflow.Details
Attackers can inject malicious commands which will be executed by the workflow. This happens because
${{ github.event.pull_request.title }}is directly passed to bash command (link).PoC
Refer to the blog post by Github Security Lab for details on how to exploit the vulnerability.
Impact
This command injection vulnerability poses a significant security risk as it allows an attacker to execute arbitrary commands within the context of the workflow. For example, if the GITHUB_TOKEN with a read/write scope is exfiltrated by the attacker, they gain the ability to push malicious code into the repository, among other privileges.