Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

x/vulndb: potential Go vuln in github.com/taosdata/grafanaplugin: CVE-2023-34111 #1833

Closed
GoVulnBot opened this issue Jun 6, 2023 · 1 comment
Closed

x/vulndb: potential Go vuln in github.com/taosdata/grafanaplugin: CVE-2023-34111 #1833

GoVulnBot opened this issue Jun 6, 2023 · 1 comment
Assignees
@tatianab
Labels
excluded: NOT_GO_CODE This vulnerability does not refer to a Go module.

Comments

@GoVulnBot
Copy link

CVE-2023-34111 references github.com/taosdata/grafanaplugin, which may be a Go module.

Description:
The Release PR Merged workflow in the github repo taosdata/grafanaplugin is subject to a command injection vulnerability which allows for arbitrary code execution within the github action context due to the insecure usage of ${{ github.event.pull_request.title }} in a bash command within the GitHub workflow. Attackers can inject malicious commands which will be executed by the workflow. This happens because ${{ github.event.pull_request.title }} is directly passed to bash command on like 25 of the workflow. This may allow an attacker to gain access to secrets which the github action has access to or to otherwise make use of the compute resources.

References:

Cross references:
No existing reports found with this module or alias.

See doc/triage.md for instructions on how to triage this report.

modules:
    - module: github.com/taosdata/grafanaplugin
      packages:
        - package: grafanaplugin
description: |
    The `Release PR Merged` workflow in the github repo taosdata/grafanaplugin is subject to a command injection vulnerability which allows for arbitrary code execution within the github action context due to the insecure usage of `${{ github.event.pull_request.title }}` in a bash command within the GitHub workflow. Attackers can inject malicious commands which will be executed by the workflow. This happens because `${{ github.event.pull_request.title }}` is directly passed to bash command on like 25 of the workflow. This may allow an attacker to gain access to secrets which the github action has access to or to otherwise make use of the compute resources.
cves:
    - CVE-2023-34111
references:
    - advisory: https://github.com/taosdata/grafanaplugin/security/advisories/GHSA-23wp-p848-hcgr
    - web: https://github.com/taosdata/grafanaplugin/blob/master/.github/workflows/release-pr-merged.yaml#L25
    - web: https://securitylab.github.com/research/github-actions-untrusted-input/
@tatianab tatianab added the excluded: NOT_GO_CODE This vulnerability does not refer to a Go module. label Jun 7, 2023
@tatianab tatianab self-assigned this Jun 7, 2023
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/501842 mentions this issue: data/excluded: batch add 15 excluded reports

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@tatianab tatianab

Labels
excluded: NOT_GO_CODE This vulnerability does not refer to a Go module.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@tatianab @gopherbot @GoVulnBot