CVE-2023-49291 – This vulnerability in the tj-actions/branch-nam... (How to Fix)

Q: What is the severity of CVE-2023-49291?

CVE-2023-49291 has a CVSS score of 9.3 (CRITICAL). This vulnerability in the tj-actions/branch-names GitHub Action allows attackers to execute arbitrary code by using specially crafted branch names. The vulnerability occurs because the action improperly references untrusted input variables within GitHub Actions run steps, enabling attackers to steal secrets or abuse GITHUB_TOKEN permissions. Anyone using vulnerable versions of this GitHub Action in their workflows is affected.

📋 TL;DR

This vulnerability in the tj-actions/branch-names GitHub Action allows attackers to execute arbitrary code by using specially crafted branch names. The vulnerability occurs because the action improperly references untrusted input variables within GitHub Actions run steps, enabling attackers to steal secrets or abuse GITHUB_TOKEN permissions. Anyone using vulnerable versions of this GitHub Action in their workflows is affected.

💻 Affected Systems

Products:

tj-actions/branch-names GitHub Action

Versions: All versions before 7.0.7

Operating Systems: All platforms where GitHub Actions runs

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability affects any GitHub workflow using the vulnerable action, regardless of operating system or configuration.

📦 What is this software?

Branch Names by Tj Actions

View all CVEs affecting Branch Names →

Branch Names by Tj Actions

View all CVEs affecting Branch Names →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the GitHub Actions runner environment, theft of all repository secrets, unauthorized code execution, and potential lateral movement to connected systems.

🟠

Likely Case

Theft of repository secrets, unauthorized code execution within the GitHub Actions environment, and potential abuse of GITHUB_TOKEN permissions for malicious repository modifications.

🟢

If Mitigated

Limited impact due to proper branch protection rules, minimal secrets exposure, and restricted GITHUB_TOKEN permissions.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires ability to create branches in the repository, making it accessible to repository contributors. GitHub Security Lab has published research demonstrating exploitation techniques.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 7.0.7

Vendor Advisory: https://github.com/tj-actions/branch-names/security/advisories/GHSA-8v8w-v8xg-79rf

Restart Required: No

Instructions:

1. Update your GitHub workflow YAML files to reference tj-actions/branch-names@v7.0.7 or later. 2. Replace any version tags like @v7 or @v7.0.6 with @v7.0.7. 3. Test your workflows to ensure compatibility with the updated version.

🔧 Temporary Workarounds

No workarounds available

all

The vendor advisory states there are no known workarounds for this vulnerability.

🧯 If You Can't Patch

Temporarily disable workflows using the vulnerable action until patching is possible
Implement strict branch protection rules to prevent unauthorized branch creation

🔍 How to Verify

Check if Vulnerable:

Check your GitHub workflow YAML files for references to tj-actions/branch-names with version tags older than v7.0.7 or using major version tags like @v7 without specific patch version.

Check Version:

grep -r "tj-actions/branch-names" .github/workflows/

Verify Fix Applied:

Verify that all workflow files reference tj-actions/branch-names@v7.0.7 or later, then run your workflows to confirm they execute without errors.

📡 Detection & Monitoring

Log Indicators:

Unusual branch names containing shell metacharacters or code injection patterns in GitHub Actions logs
Unexpected command execution in branch-names action steps
Unauthorized access attempts to secrets or sensitive data

Network Indicators:

Unexpected outbound connections from GitHub Actions runners during branch name processing

SIEM Query:

source="github-actions" AND "branch-names" AND ("github.event.pull_request.head.ref" OR "github.head_ref")

📊 Metadata

CVE ID: CVE-2023-49291

CVSS v3 Score: 9.3 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:N

CWE: CWE-20

Published: December 5, 2023

Last Updated: November 21, 2024

🔗 References

https://github.com/tj-actions/branch-names/commit/4923d1ca41f928c24f1c1b3af9daaadfb71e6337 Patch
https://github.com/tj-actions/branch-names/commit/6c999acf206f5561e19f46301bb310e9e70d8815 Patch
https://github.com/tj-actions/branch-names/commit/726fe9ba5e9da4fcc716223b7994ffd0358af060 Patch
https://github.com/tj-actions/branch-names/security/advisories/GHSA-8v8w-v8xg-79rf Exploit,Vendor Advisory
https://securitylab.github.com/research/github-actions-untrusted-input Exploit,Third Party Advisory
https://github.com/tj-actions/branch-names/commit/4923d1ca41f928c24f1c1b3af9daaadfb71e6337 Patch
https://github.com/tj-actions/branch-names/commit/6c999acf206f5561e19f46301bb310e9e70d8815 Patch
https://github.com/tj-actions/branch-names/commit/726fe9ba5e9da4fcc716223b7994ffd0358af060 Patch
https://github.com/tj-actions/branch-names/security/advisories/GHSA-8v8w-v8xg-79rf Exploit,Vendor Advisory
https://securitylab.github.com/research/github-actions-untrusted-input Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-49291, you might also want to check these: