Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Improper Sanitization of Branch Name Leads to Arbitrary Code Injection
Vulnerability Description
tj-actions/branch-names is a Github action to retrieve branch or tag names with support for all events. The `tj-actions/branch-names` GitHub Actions improperly references the `github.event.pull_request.head.ref` and `github.head_ref` context variables within a GitHub Actions `run` step. The head ref variable is the branch name and can be used to execute arbitrary code using a specially crafted branch name. As a result an attacker can use this vulnerability to steal secrets from or abuse `GITHUB_TOKEN` permissions. This vulnerability has been addressed in version 7.0.7. Users are advised to upgrade. There are no known workarounds for this vulnerability.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:N
Vulnerability Type
输入验证不恰当
Vulnerability Title
branch-names 输入验证错误漏洞
Vulnerability Description
branch-names是一个用于检索分支或标签名称的工具。 branch-names 7.0.7之前版本存在输入验证错误漏洞,该漏洞源于不正确引用上下文变量,攻击者利用此漏洞可以执行任意代码。
CVSS Information
N/A
Vulnerability Type
N/A