CVE-2023-27581

Name of the Vulnerable Software and Affected Versions github-slug-action versions 4.0.0 through 4.4.1

Description The github-slug-action uses the github.head ref parameter in an insecure way, allowing any user on GitHub to trigger the vulnerability by creating a pull request with a branch name containing the attack payload. This can be used to execute code on the GitHub runners and to exfiltrate any secrets used in the CI pipeline.

Recommendations For github-slug-action versions 4.0.0 through 4.4.1, update to version 4.4.1 or later to resolve the issue. As a temporary workaround, consider passing the variable as an environment variable and using the environment variable instead of substituting it directly, until a patch is available. No other workarounds are available, so upgrading the version is the recommended course of action.