Adnanekhan

Name of the Vulnerable Software and Affected Versions dbt (affected versions not specified) Description dbt allows data analysts and engineers to transform data using software engineering practices. A command injection issue exists in the workflow located at dbt-labs/actions/blob/main/.github/workflows/open-issue-in-repo.yml. The `peter-evans/find-comment` action's output, specifically `steps.issue comment.outputs.comment-body`, is directly interpolated into a bash if statement without proper escaping. This allows a malicious comment body to inject arbitrary shell commands. Recommendations Update to a version after commit bbed8d28354e9c644c5a7df13946a3a0451f9ab9.

**Name of the Vulnerable Software and Affected Versions** tj-actions/branch-names versions prior to 7.0.7 **Description** The `tj-actions/branch-names` GitHub Actions improperly references the `github.event.pull request.head.ref` and `github.head ref` context variables within a GitHub Actions `run` step. The head ref variable is the branch name and can be used to execute arbitrary code using a specially crafted branch name. An attacker can use this issue to steal secrets from or abuse `GITHUB TOKEN` permissions. **Recommendations** For versions prior to 7.0.7, upgrade to version 7.0.7 to address the issue. As a temporary workaround, consider restricting the use of the `github.event.pull request.head.ref` and `github.head ref` context variables within GitHub Actions `run` steps to minimize the risk of exploitation. Avoid using specially crafted branch names that could be used to inject arbitrary code.