CVE-2023-30623 – CVE-2023-30623 is a command injection vulnerabi... (How to Fix)

Q: What is the severity of CVE-2023-30623?

CVE-2023-30623 has a CVSS score of 8.8 (HIGH). CVE-2023-30623 is a command injection vulnerability in the embano1/wip GitHub Action that allows attackers to execute arbitrary code on GitHub runners by submitting malicious pull request titles. This affects any GitHub repository using vulnerable versions of this action, potentially exposing CI/CD secrets and repository access. Attackers can trigger this without authentication by creating pull requests.

📋 TL;DR

CVE-2023-30623 is a command injection vulnerability in the embano1/wip GitHub Action that allows attackers to execute arbitrary code on GitHub runners by submitting malicious pull request titles. This affects any GitHub repository using vulnerable versions of this action, potentially exposing CI/CD secrets and repository access. Attackers can trigger this without authentication by creating pull requests.

💻 Affected Systems

Products:

embano1/wip GitHub Action

Versions: All versions prior to version 2

Operating Systems: All - GitHub Actions runners support multiple OS

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerable when action is triggered by pull request events; requires the action to be configured in GitHub workflows.

📦 What is this software?

Wip by Wip Project

View all CVEs affecting Wip →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of GitHub runners, exfiltration of all CI/CD secrets (including repository tokens, API keys, credentials), unauthorized code execution, and potential lateral movement to connected systems.

🟠

Likely Case

Exfiltration of repository secrets and CI/CD pipeline credentials, unauthorized code execution in GitHub runners, potential supply chain attacks through compromised builds.

🟢

If Mitigated

Limited impact with proper input validation and runner isolation; potential denial of service if action fails but no code execution.

🌐 Internet-Facing: HIGH - GitHub repositories are internet-accessible and pull requests can be submitted by any GitHub user.

🏢 Internal Only: LOW - The vulnerability requires GitHub repository access which is typically internet-facing; private repositories still accept external contributions.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation is straightforward: create a pull request with malicious title containing shell commands; GitHub advisory includes proof of concept.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version 2

Vendor Advisory: https://github.com/embano1/wip/security/advisories/GHSA-rg3q-prf8-qxmp

Restart Required: No

Instructions:

1. Update GitHub workflow files to use `embano1/wip@v2` or later. 2. Replace any references to `embano1/wip@v1` or `embano1/wip@main`. 3. Commit and push changes to repository. 4. Verify workflows run without errors.

🔧 Temporary Workarounds

Disable vulnerable action

all

Temporarily disable or remove the embano1/wip action from GitHub workflows

# Edit .github/workflows/*.yml files and remove or comment out embano1/wip action steps

Input validation workaround

linux

Add manual input validation for pull request titles before passing to action

# In workflow YAML, add a step to sanitize inputs:
- name: Validate PR title
  run: |
    if [[ "${{ github.event.pull_request.title }}" =~ [\;\|\&\$\`] ]]; then
      echo "Invalid characters in PR title"
      exit 1
    fi

🧯 If You Can't Patch

Disable pull request triggers for workflows using embano1/wip action
Implement strict branch protection rules requiring maintainer approval for all pull requests

🔍 How to Verify

Check if Vulnerable:

Check GitHub workflow YAML files for references to embano1/wip action without version 2 or later specification

Check Version:

grep -r "embano1/wip" .github/workflows/

Verify Fix Applied:

Verify workflow files specify `embano1/wip@v2` or later; test with a safe pull request to confirm action works without errors

📡 Detection & Monitoring

Log Indicators:

Unusual shell commands in GitHub Actions logs
Unexpected process execution in runner logs
Failed workflow runs due to command injection errors

Network Indicators:

Unexpected outbound connections from GitHub runners during PR processing
Data exfiltration patterns from CI/CD environment

SIEM Query:

source="github-actions" AND ("command injection" OR "unexpected command" OR "malicious title")

📊 Metadata

CVE ID: CVE-2023-30623

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-77

Published: April 24, 2023

Last Updated: November 21, 2024

🔗 References

https://github.com/embano1/wip/commit/c25450f77ed02c20d00b76ee3b33ff43838739a2 Patch
https://github.com/embano1/wip/security/advisories/GHSA-rg3q-prf8-qxmp Vendor Advisory
https://securitylab.github.com/research/github-actions-untrusted-input/ Exploit,Third Party Advisory
https://github.com/embano1/wip/commit/c25450f77ed02c20d00b76ee3b33ff43838739a2 Patch
https://github.com/embano1/wip/security/advisories/GHSA-rg3q-prf8-qxmp Vendor Advisory
https://securitylab.github.com/research/github-actions-untrusted-input/ Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-30623, you might also want to check these: