CVE-2023-34111
📋 TL;DR
This CVE describes a command injection vulnerability in the 'Release PR Merged' GitHub Actions workflow of the taosdata/grafanaplugin repository. Attackers can execute arbitrary code within the GitHub Actions context by injecting malicious commands through pull request titles, potentially accessing secrets or compute resources. This affects anyone using the vulnerable workflow in their GitHub repositories.
💻 Affected Systems
- taosdata/grafanaplugin GitHub repository
📦 What is this software?
Grafana by Tdengine
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of GitHub Actions environment, theft of all repository secrets (tokens, API keys, credentials), unauthorized code execution, and potential lateral movement to connected systems.
Likely Case
Unauthorized code execution within GitHub Actions runner, exfiltration of repository secrets, and potential supply chain attacks through malicious releases.
If Mitigated
Limited impact with proper input validation and security controls, potentially only workflow disruption without data compromise.
🎯 Exploit Status
Exploitation requires ability to create or modify pull requests in the repository. The vulnerability is well-documented in security advisories with clear examples.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Fixed in commit that addresses the workflow vulnerability
Vendor Advisory: https://github.com/taosdata/grafanaplugin/security/advisories/GHSA-23wp-p848-hcgr
Restart Required: No
Instructions:
1. Update the .github/workflows/release-pr-merged.yaml file. 2. Replace direct usage of ${{ github.event.pull_request.title }} with properly sanitized input. 3. Commit and push the changes to the repository. 4. Verify the workflow no longer uses untrusted input directly in bash commands.
🔧 Temporary Workarounds
Disable vulnerable workflow
allTemporarily disable the 'Release PR Merged' workflow to prevent exploitation
Navigate to repository Settings > Actions > Workflow permissions > Disable workflow
Implement input validation
allAdd input validation and sanitization to the workflow before using pull request title
Modify workflow to use ${{ github.event.pull_request.title | tojson }} or implement proper escaping
🧯 If You Can't Patch
- Restrict repository permissions to trusted contributors only
- Implement branch protection rules requiring reviews before merging pull requests
🔍 How to Verify
Check if Vulnerable:
Inspect .github/workflows/release-pr-merged.yaml line 25 for direct usage of ${{ github.event.pull_request.title }} in bash commands without proper escaping.Check Version:
git log --oneline -n 5 .github/workflows/release-pr-merged.yamlVerify Fix Applied:
Check that the workflow file no longer uses untrusted input directly in bash commands and implements proper input validation or escaping.📡 Detection & Monitoring
Log Indicators:
- Unexpected commands in GitHub Actions logs
- Suspicious activity in workflow execution
- Unauthorized access attempts to repository secrets
Network Indicators:
- Unusual outbound connections from GitHub Actions runners
- Data exfiltration patterns
SIEM Query:
source="github-actions" AND (command_injection OR suspicious_command OR unexpected_execution)🔗 References
- https://github.com/taosdata/grafanaplugin/blob/master/.github/workflows/release-pr-merged.yaml#L25
- https://github.com/taosdata/grafanaplugin/security/advisories/GHSA-23wp-p848-hcgr
- https://securitylab.github.com/research/github-actions-untrusted-input/
- https://github.com/taosdata/grafanaplugin/blob/master/.github/workflows/release-pr-merged.yaml#L25
- https://github.com/taosdata/grafanaplugin/security/advisories/GHSA-23wp-p848-hcgr
- https://securitylab.github.com/research/github-actions-untrusted-input/
