Skip to content

Command injection vulnerability in changelog.yml CI workflow

Moderate
atodorov published GHSA-cw6r-6ccx-5hwx Apr 24, 2023

Package

kiwitcms/Kiwi (GitHub repository)

Affected versions

before 834c86dfd1b2492ccad7ebbfd6304bfec895fed2

Patched versions

834c86dfd1b2492ccad7ebbfd6304bfec895fed2
kiwitcms/enterprise (GitHub repository)
before e39f7e156fdaf6fec09a15ea6f4e8fec8cdbf751
e39f7e156fdaf6fec09a15ea6f4e8fec8cdbf751

Description

Summary

The changelog.yml workflow is vulnerable to command injection attacks because of using an untrusted github.head_ref field.

Details

Kiwi/.github/workflows/changelog.yml

Line 18 in 37bfb87

echo "INFO: source branch is: ${{ github.head_ref }}"

You can check this blog post for details: https://securitylab.github.com/research/github-actions-untrusted-input/

PoC

The github.head_ref value is an attacker-controlled value. Assigning the value to zzz";echo${IFS}"hello";# can lead to command injection.

Impact

Since the permission is not restricted, the attacker has a write-access to the repository.

Severity

Moderate

CVE ID

CVE-2023-30628

Weaknesses

Credits