8.8

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2023-27581

CVE-2023-27581: github-slug-action vulnerable to arbitrary code execution

Impact

This action uses the github.head_ref parameter in an insecure way.

This vulnerability can be triggered by any user on GitHub on any workflow using the action on pull requests. They just need to create a pull request with a branch name, which can contain the attack payload. (Note that first-time PR requests will not be run - but the attacker can submit a valid PR before submitting an invalid PR). This can be used to execute code on the GitHub runners (potentially use it for crypto-mining, and waste your resources) and to exfiltrate any secrets you use in the CI pipeline.

Patches

Pass the variable as an environment variable and then use the environment variable instead of substituting it directly.

Patched action is available on tag v4, tag v4.4.1, and any tag beyond.

Workarounds

No workaround is available if impacted, please upgrade the version

ℹ️ v3 and v4 are compatibles.

References

Here is a set of blog posts by Github's security team explaining this issue.

Thanks

Thanks to the team of researchers from Purdue University, who are working on finding vulnerabilities in CI/CD configurations of open-source software. Their tool detected this security vulnerability.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2023-27581

CVE-2023-27581:

8.8

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
rlespinasse/github-slug-action	actions	>= 4.0.0, < 4.4.1	4.4.1

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from unsafe handling of user-controlled input (github.head_ref) in a shell command. The removed step 'get-github-ref-name' in action.yml used direct substitution of github.head_ref in a bash script (refname="${{ github.head_ref || github.ref_name }}"), making it vulnerable to command injection. The patch replaced this with environment variable usage (env.GITHUB_HEAD_REF_RAW), which is treated as trusted input by GitHub Actions' context escaping rules. The removed bash script constitutes the vulnerable function as it directly executed untrusted input.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

8.8

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2023-27581: github-slug-action vulnerable to arbitrary code execution

Impact

Patches

Workarounds

References

Thanks

CVE-2023-27581:

8.8

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

8.8

8.8

Technical Details

CVE-2023-27581: github-slug-action vulnerable to arbitrary code execution

Impact

Patches

Workarounds

References

Thanks

Basic Information

Basic Information

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI