CVE-2023-34111

Name of the Vulnerable Software and Affected Versions taosdata/grafanaplugin (affected versions not specified)

Description The issue concerns a command injection vulnerability in the Release PR Merged workflow. This vulnerability allows for arbitrary code execution within the GitHub action context due to the insecure usage of ${{ github.event.pull request.title }} in a bash command. Attackers can inject malicious commands, potentially gaining access to secrets or making use of compute resources.

Recommendations As a temporary workaround, consider restricting the use of the Release PR Merged workflow until a patch is available. Avoid directly passing ${{ github.event.pull request.title }} to bash commands in the workflow to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.