CVE-2023-31128

Name of the Vulnerable Software and Affected Versions NextCloud Cookbook versions prior to commit a46d9855 on the master branch and commit 489bb744 on the main-0.9.x branch

Description The issue concerns a command injection vulnerability due to the use of an untrusted github.head ref field in the pull-checks.yml workflow. The github.head ref value can be controlled by an attacker, allowing for command injection attacks by assigning a value such as zzz";echo${IFS}"hello";#. This vulnerability provides an attacker with write-access to the repository due to unrestricted permissions. The vulnerability affects the main repository and possible forks of it, but there is no risk to users of the app within the NextCloud server.

Recommendations To resolve the issue, ensure that your fork of the NextCloud Cookbook repository is updated to the latest version, at least commit a46d9855 on the master branch and commit 489bb744 on the main-0.9.x branch. As a temporary workaround, consider restricting access to the pull-checks.yml workflow until the update is applied.