CVE-2023-51664 HIGH

CVE-2023-51664: tj-actions/changed-files command injection in output filenames

Vendor Tj-Actions
Product changed-files
Weakness CWE-77
Published December 27, 2023
Last update September 25, 2024

CVSS base score

7.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N

What the vulnerability does

01Description

tj-actions/changed-files is a Github action to retrieve all files and directories. Prior to 41.0.0, the `tj-actions/changed-files` workflow allows for command injection in changed filenames, allowing an attacker to execute arbitrary code and potentially leak secrets. This issue may lead to arbitrary command execution in the GitHub Runner. This vulnerability has been addressed in version 41.0.0. Users are advised to upgrade.

Key dates

02Disclosure timeline

December 27, 2023 CVE published
September 25, 2024 Record updated