Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
GitHub Action tj-actions/verify-changed-files is vulnerable to command injection in output filenames
Vulnerability Description
The [`tj-actions/verify-changed-files`](https://github.com/tj-actions/verify-changed-files) action allows for command injection in changed filenames, allowing an attacker to execute arbitrary code and potentially leak secrets. The [`verify-changed-files`](https://github.com/tj-actions/verify-changed-files) workflow returns the list of files changed within a workflow execution. This could potentially allow filenames that contain special characters such as `;` which can be used by an attacker to take over the [GitHub Runner](https://docs.github.com/en/actions/using-github-hosted-runners/about-github-hosted-runners) if the output value is used in a raw fashion (thus being directly replaced before execution) inside a `run` block. By running custom commands, an attacker may be able to steal secrets such as `GITHUB_TOKEN` if triggered on other events than `pull_request`. This has been patched in versions [17](https://github.com/tj-actions/verify-changed-files/releases/tag/v17) and [17.0.0](https://github.com/tj-actions/verify-changed-files/releases/tag/v17.0.0) by enabling `safe_output` by default and returning filename paths escaping special characters for bash environments.
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:L
Vulnerability Type
输入验证不恰当
Vulnerability Title
verify-changed-files 输入验证错误漏洞
Vulnerability Description
changed-files是用于跟踪与目标分支相关的所有已更改文件和目录、之前的提交或最后一次远程提交从项目根返回的相对路径。 verify-changed-files 17.0.0之前版本存在输入验证错误漏洞,该漏洞源于在更改文件名时进行命令注入,从而导致攻击者执行任意代码并泄露机密。
CVSS Information
N/A
Vulnerability Type
N/A