{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/njzjz/wenxian/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["GitHub Actions","njzjz/wenxian"],"_cs_severities":["critical"],"_cs_tags":["github-actions","command-injection","ci-cd"],"_cs_type":"advisory","_cs_vendors":["GitHub"],"content_html":"\u003cp\u003eA GitHub Actions workflow in the \u003ccode\u003eactions/njzjz/wenxian\u003c/code\u003e repository (versions \u0026lt;= 0.3.1) is vulnerable to command injection. The workflow is triggered by \u003ccode\u003eissue_comment\u003c/code\u003e events, which allows external users to inject arbitrary shell commands. The vulnerability arises because the workflow directly interpolates untrusted user input from \u003ccode\u003egithub.event.comment.body\u003c/code\u003e into a shell command without proper sanitization. This occurs within the \u003ccode\u003erun\u003c/code\u003e context of a step, where \u003ccode\u003e${{ }}\u003c/code\u003e expressions are evaluated before execution. Successful exploitation allows remote attackers to execute arbitrary code on the runner, potentially compromising the CI/CD pipeline and exfiltrating sensitive data. This poses a significant risk to the integrity and confidentiality of the affected repository.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker submits a malicious comment to a GitHub issue in the affected repository, crafted to exploit the command injection vulnerability.\u003c/li\u003e\n\u003cli\u003eThe comment contains a payload designed to break out of the intended command context and inject arbitrary shell commands.\u003c/li\u003e\n\u003cli\u003eThe GitHub Actions workflow is triggered by the \u003ccode\u003eissue_comment\u003c/code\u003e event.\u003c/li\u003e\n\u003cli\u003eThe workflow executes the vulnerable step, which interpolates the attacker-controlled \u003ccode\u003egithub.event.comment.body\u003c/code\u003e into a shell command. Specifically, the command \u003ccode\u003eecho identifiers=$(echo \u0026quot;${{ github.event.comment.body }}\u0026quot; | grep -oE '@njzjz-bot .*' | head -n1 | cut -c12- | xargs) \u0026gt;\u0026gt; $GITHUB_OUTPUT\u003c/code\u003e is executed.\u003c/li\u003e\n\u003cli\u003eThe attacker's injected commands are executed on the GitHub Actions runner with the privileges of the runner environment.\u003c/li\u003e\n\u003cli\u003eThe attacker could leverage access to the \u003ccode\u003eGITHUB_TOKEN\u003c/code\u003e to interact with the repository, potentially exfiltrating data or modifying code.\u003c/li\u003e\n\u003cli\u003eThe attacker can use the injected commands to compromise the CI/CD pipeline.\u003c/li\u003e\n\u003cli\u003eThe final objective is arbitrary code execution on the runner, data exfiltration, or CI/CD pipeline compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis vulnerability allows remote attackers to inject arbitrary shell commands into the GitHub Actions runner by posting malicious comments on issues. Successful exploitation can lead to the execution of arbitrary code within the runner environment. This could provide attackers with access to sensitive information, including the \u003ccode\u003eGITHUB_TOKEN\u003c/code\u003e, allowing them to exfiltrate repository data or modify code. The compromise of the CI/CD pipeline can lead to supply chain attacks and other severe consequences. The \u003ccode\u003eactions/njzjz/wenxian\u003c/code\u003e repository (vulnerable: \u0026lt;= 0.3.1) is affected by this vulnerability.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the \u0026quot;Detect GitHub Actions Command Injection via Issue Comments\u0026quot; Sigma rule to detect exploitation attempts by monitoring process creation events with suspicious command line arguments.\u003c/li\u003e\n\u003cli\u003eImplement the suggested fix provided in the advisory by passing \u003ccode\u003egithub.event.comment.body\u003c/code\u003e through an environment variable and referencing it safely within the script to mitigate the command injection vulnerability.\u003c/li\u003e\n\u003cli\u003eAudit all GitHub Actions workflows for similar vulnerabilities where untrusted user input is directly interpolated into shell commands, and apply proper sanitization techniques.\u003c/li\u003e\n\u003cli\u003ePatch \u003ccode\u003eactions/njzjz/wenxian\u003c/code\u003e to a version greater than 0.3.1 to remediate CVE-2026-34243.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T17:23:00Z","date_published":"2024-01-03T17:23:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-03-github-actions-injection/","summary":"A GitHub Actions workflow uses untrusted user input from `issue_comment.body` directly inside a shell command, allowing potential command injection and arbitrary code execution on the runner.","title":"GitHub Actions Workflow Command Injection via Issue Comments","url":"https://feed.craftedsignal.io/briefs/2024-01-03-github-actions-injection/"}],"language":"en","title":"CraftedSignal Threat Feed - Njzjz/Wenxian","version":"https://jsonfeed.org/version/1.1"}