CVE-2023-26493
📋 TL;DR
This CVE describes a command injection vulnerability in Cocos Engine's GitHub Actions workflow that allowed attackers to execute arbitrary commands on GitHub Runners. The vulnerability affected users who forked the repository and opened pull requests, potentially allowing repository takeover and secret theft. The workflow has been removed, so no user action is required.
💻 Affected Systems
- Cocos Engine
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of the GitHub repository including code modification, secret theft (GITHUB_TOKEN), and potential supply chain attacks through malicious commits.
Likely Case
Unauthorized command execution on GitHub Runners leading to repository manipulation and potential secret exfiltration.
If Mitigated
No impact as the vulnerable workflow has been removed from the repository.
🎯 Exploit Status
Exploitation required creating a fork and opening a pull request. The vulnerability has been fixed by removing the workflow.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Workflow removed in commit 6d06aefa2684e20da79e7ceaf41f728c1a8d7a41
Vendor Advisory: https://securitylab.github.com/advisories/GHSL-2023-027_Engine_for_Cocos_Creator/
Restart Required: No
Instructions:
1. Ensure your repository uses the latest version from the official Cocos Engine repository. 2. Verify the .github/workflows/web-interface-check.yml file has been removed. 3. If you copied this workflow to other repositories, remove it there as well.
🔧 Temporary Workarounds
Remove vulnerable workflow
allDelete the web-interface-check.yml workflow file from your repository
rm .github/workflows/web-interface-check.yml
🧯 If You Can't Patch
- Disable GitHub Actions for the repository temporarily
- Review and audit all GitHub Actions workflows for similar command injection patterns
🔍 How to Verify
Check if Vulnerable:
Check if .github/workflows/web-interface-check.yml exists in your repository and contains the vulnerable pattern with ${{ github.head_ref }}Check Version:
git log --oneline -n 5 .github/workflows/web-interface-check.ymlVerify Fix Applied:
Confirm the web-interface-check.yml file no longer exists in .github/workflows/ directory📡 Detection & Monitoring
Log Indicators:
- Unusual GitHub Actions workflow executions
- Unexpected commands in workflow logs
- Pull requests from unfamiliar forks triggering workflows
Network Indicators:
- Unusual outbound connections from GitHub Actions runners
SIEM Query:
source="github-actions" AND (command_injection OR suspicious_command OR unauthorized_workflow)🔗 References
- https://github.com/cocos/cocos-engine/blob/2362df28a4b3016dbda804899041279701929728/.github/workflows/web-interface-check.yml
- https://github.com/cocos/cocos-engine/commit/6d06aefa2684e20da79e7ceaf41f728c1a8d7a41
- https://securitylab.github.com/advisories/GHSL-2023-027_Engine_for_Cocos_Creator/
- https://github.com/cocos/cocos-engine/blob/2362df28a4b3016dbda804899041279701929728/.github/workflows/web-interface-check.yml
- https://github.com/cocos/cocos-engine/commit/6d06aefa2684e20da79e7ceaf41f728c1a8d7a41
- https://securitylab.github.com/advisories/GHSL-2023-027_Engine_for_Cocos_Creator/
