CVE-2023-52137

Summary

CVE-2023-52137 is a command injection vulnerability affecting the [`tj-actions/verify-changed-files`](https://github.com/tj-actions/verify-changed-files) GitHub action. This issue allows attackers to inject commands into the filename parameter, potentially leading to arbitrary code execution and secret leaks like `GITHUB_TOKEN`. The vulnerability arises when the workflow's output value (containing filenames) is used directly in a `run` block. An attacker could exploit this vulnerability by manipulating filenames with special characters, such as `;`, to take over the GitHub Runner and execute malicious commands. The vulnerability has been addressed in versions 17 and 17.0.0 with the default enablement of `safe_output` and the escaping of special characters in filenames for bash environments.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.