R3X

**Name of the Vulnerable Software and Affected Versions** tj-actions/branch-names versions prior to 7.0.7 **Description** The `tj-actions/branch-names` GitHub Actions improperly references the `github.event.pull request.head.ref` and `github.head ref` context variables within a GitHub Actions `run` step. The head ref variable is the branch name and can be used to execute arbitrary code using a specially crafted branch name. An attacker can use this issue to steal secrets from or abuse `GITHUB TOKEN` permissions. **Recommendations** For versions prior to 7.0.7, upgrade to version 7.0.7 to address the issue. As a temporary workaround, consider restricting the use of the `github.event.pull request.head.ref` and `github.head ref` context variables within GitHub Actions `run` steps to minimize the risk of exploitation. Avoid using specially crafted branch names that could be used to inject arbitrary code.

**Name of the Vulnerable Software and Affected Versions** JavaCPP Presets versions prior to 1.5.9 **Description** The issue concerns the insecure use of the `github.event.head commit.message` parameter in JavaCPP Presets, leading to a command injection vulnerability due to string interpolation. No exploitation has been reported. **Recommendations** For versions prior to 1.5.9, upgrade to version 1.5.9 or later to resolve the issue. As a temporary workaround, consider restricting the use of the `github.event.head commit.message` parameter in the affected actions until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** taosdata/grafanaplugin (affected versions not specified) **Description** The issue concerns a command injection vulnerability in the `Release PR Merged` workflow. This vulnerability allows for arbitrary code execution within the GitHub action context due to the insecure usage of `${{ github.event.pull request.title }}` in a bash command. Attackers can inject malicious commands, potentially gaining access to secrets or making use of compute resources. **Recommendations** As a temporary workaround, consider restricting the use of the `Release PR Merged` workflow until a patch is available. Avoid directly passing `${{ github.event.pull request.title }}` to bash commands in the workflow to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** embano1/wip versions prior to 2 **Description** The `embano1/wip` action uses the `github.event.pull request.title` parameter in an insecure way, resulting in a command injection vulnerability due to string interpolation. This issue can be triggered by any user on GitHub by creating a pull request with a commit message containing an exploit. The commit can be genuine, but the commit message can be malicious, allowing for the execution of code on the GitHub runners and the exfiltration of secrets used in the CI pipeline, including repository tokens. **Recommendations** To resolve the issue, update the `embano1/wip` action to version 2 by replacing the line in your workflow with `uses: embano1/wip@v2` or using the exact commit `uses: embano1/wip@c25450f77ed02c20d00b76ee3b33ff43838739a2`. As a temporary workaround, consider restricting access to the `github.event.pull request.title` parameter to minimize the risk of exploitation. Avoid using the `github.event.pull request.title` parameter in the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** github-slug-action versions 4.0.0 through 4.4.1 **Description** The github-slug-action uses the `github.head ref` parameter in an insecure way, allowing any user on GitHub to trigger the vulnerability by creating a pull request with a branch name containing the attack payload. This can be used to execute code on the GitHub runners and to exfiltrate any secrets used in the CI pipeline. **Recommendations** For github-slug-action versions 4.0.0 through 4.4.1, update to version 4.4.1 or later to resolve the issue. As a temporary workaround, consider passing the variable as an environment variable and using the environment variable instead of substituting it directly, until a patch is available. No other workarounds are available, so upgrading the version is the recommended course of action.