Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
github-slug-action vulnerable to arbitrary code execution
Vulnerability Description
github-slug-action is a GitHub Action to expose slug value of GitHub environment variables inside of one's GitHub workflow. Starting in version 4.0.0` and prior to version 4.4.1, this action uses the `github.head_ref` parameter in an insecure way. This vulnerability can be triggered by any user on GitHub on any workflow using the action on pull requests. They just need to create a pull request with a branch name, which can contain the attack payload. This can be used to execute code on the GitHub runners and to exfiltrate any secrets one uses in the CI pipeline. A patched action is available in version 4.4.1. No workaround is available.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Vulnerability Type
在命令中使用的特殊元素转义处理不恰当(命令注入)
Vulnerability Title
GitHub Slug action 命令注入漏洞
Vulnerability Description
GitHub Slug action是用于在 GitHub 工作流程中公开 GitHub 环境变量的 slug 值的工具。 GitHub Slug action 4.0.0版本至4.4.1之前版本存在命令注入漏洞。攻击者利用该漏洞在GitHub运行器上执行代码,并泄露在CI管道中使用的任何信息。
CVSS Information
N/A
Vulnerability Type
N/A