Login Sign Up

CVE-2023-31128

8.1 HIGH

📋 TL;DR

This CVE describes a command injection vulnerability in NextCloud Cookbook's GitHub Actions workflow. Attackers with write access to the repository can inject malicious commands by manipulating the github.head_ref field, potentially compromising the repository's CI/CD pipeline. Only the main repository and its forks are affected - NextCloud server users are not at risk.

💻 Affected Systems

Products:
  • NextCloud Cookbook
Versions: All versions prior to commit a46d9855 on master branch and commit 489bb744 on main-0.9.x branch
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects the GitHub repository and forks, not the NextCloud server application itself. Requires attacker to have write access to the repository.

📦 What is this software?

Cookbook by Nextcloud

View all CVEs affecting Cookbook →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the repository, allowing attackers to inject malicious code, steal secrets, or pivot to other systems in the CI/CD environment.

🟠

Likely Case

Unauthorized code execution in GitHub Actions runners, potentially leading to repository manipulation, secret exfiltration, or supply chain attacks.

🟢

If Mitigated

No impact if the repository has been updated to the fixed commits or if proper input validation is implemented.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploit requires write access to the repository. The advisory includes specific payload examples for command injection.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Commits a46d9855 (master) and 489bb744 (main-0.9.x)

Vendor Advisory: https://github.com/nextcloud/cookbook/security/advisories/GHSA-c5pc-mf2f-xq8h

Restart Required: No

Instructions:

1. Update your fork to include commit a46d9855 (master branch) or 489bb744 (main-0.9.x branch). 2. Verify the .github/workflows/pull-checks.yml file no longer uses untrusted github.head_ref input directly in shell commands.

🔧 Temporary Workarounds

Disable vulnerable workflow

all

Temporarily disable the pull-checks.yml workflow in GitHub repository settings

Manual input validation

all

Add input validation to sanitize github.head_ref before use in shell commands

🧯 If You Can't Patch

  • Review repository access controls and limit write permissions to trusted contributors only
  • Monitor GitHub Actions logs for suspicious command execution patterns

🔍 How to Verify

Check if Vulnerable:

Check if your .github/workflows/pull-checks.yml file contains direct usage of ${{ github.head_ref }} in shell commands without proper sanitization

Check Version:

git log --oneline | grep -E 'a46d9855|489bb744'

Verify Fix Applied:

Verify the workflow file uses proper input validation or references the fixed commits in the repository history

📡 Detection & Monitoring

Log Indicators:

  • Unusual command execution in GitHub Actions logs
  • Suspicious shell commands containing echo${IFS} or similar injection patterns

Network Indicators:

  • Unexpected outbound connections from GitHub Actions runners

SIEM Query:

source="github-actions" AND (command="echo${IFS}" OR command="zzz")

📊 Metadata

CVE ID: CVE-2023-31128
CVSS v3 Score: 8.1 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
CWE: CWE-78
Published: May 26, 2023
Last Updated: January 14, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-31128, you might also want to check these:

CVE-2023-2564 10.0

This CVE describes an OS command injection vulnerability in scanservjs web scanning software that al...

Same vulnerability type (CWE-78)
CVE-2024-58338 10.0

Anevia Flamingo XL 3.2.9 contains a restricted shell escape vulnerability that allows remote attacke...

Same vulnerability type (CWE-78)
CVE-2025-26389 10.0

This critical vulnerability allows unauthenticated remote attackers to execute arbitrary code with r...

Same vulnerability type (CWE-78)