CVE-2023-34111

Published: Jun 6, 2023

Modified: Jan 7, 2025

PUBLISHED

CVSS v3.1

8.1

HIGH

Description

The `Release PR Merged` workflow in the github repo taosdata/grafanaplugin is subject to a command injection vulnerability which allows for arbitrary code execution within the github action context due to the insecure usage of `${{ github.event.pull_request.title }}` in a bash command within the GitHub workflow. Attackers can inject malicious commands which will be executed by the workflow. This happens because `${{ github.event.pull_request.title }}` is directly passed to bash command on like 25 of the workflow. This may allow an attacker to gain access to secrets which the github action has access to or to otherwise make use of the compute resources.

Vendor	Product	Versions
taosdata	grafanaplugin	affected `<= 2e4c82b002`

Weaknesses (CWE)

CWE-20

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

High

References

https://github.com/taosdata/grafanaplugin/security/advisories/GHSA-23wp-p848-hcgr

x_refsource_CONFIRM

https://github.com/taosdata/grafanaplugin/blob/master/.github/workflows/release-pr-merged.yaml#L25

x_refsource_MISC

https://securitylab.github.com/research/github-actions-untrusted-input/

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2023-34111

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References