CVE-2023-30628

Name of the Vulnerable Software and Affected Versions kiwitcms/Kiwi versions 12.2 and prior kiwitcms/enterprise versions 12.2 and prior

Description The changelog.yml workflow in Kiwi TCMS is vulnerable to command injection attacks due to the use of an untrusted github.head ref field. The github.head ref value is an attacker-controlled value, which can lead to command injection when assigned a value like zzz";echo${IFS}"hello";#. Since permission is not restricted, the attacker has write-access to the repository.

Recommendations For kiwitcms/Kiwi versions 12.2 and prior, update to a version that includes commit 834c86dfd1b2492ccad7ebbfd6304bfec895fed2 to resolve the issue. For kiwitcms/enterprise versions 12.2 and prior, update to a version that includes commit e39f7e156fdaf6fec09a15ea6f4e8fec8cdbf751 to resolve the issue. As a temporary workaround, consider restricting access to the changelog.yml workflow to minimize the risk of exploitation.