CVE-2023-30623

Name of the Vulnerable Software and Affected Versions embano1/wip versions prior to 2

Description The embano1/wip action uses the github.event.pull request.title parameter in an insecure way, resulting in a command injection vulnerability due to string interpolation. This issue can be triggered by any user on GitHub by creating a pull request with a commit message containing an exploit. The commit can be genuine, but the commit message can be malicious, allowing for the execution of code on the GitHub runners and the exfiltration of secrets used in the CI pipeline, including repository tokens.

Recommendations To resolve the issue, update the embano1/wip action to version 2 by replacing the line in your workflow with uses: embano1/wip@v2 or using the exact commit uses: embano1/wip@c25450f77ed02c20d00b76ee3b33ff43838739a2. As a temporary workaround, consider restricting access to the github.event.pull request.title parameter to minimize the risk of exploitation. Avoid using the github.event.pull request.title parameter in the affected API endpoint until the issue is resolved.