CVE-2023-49291

Name of the Vulnerable Software and Affected Versions tj-actions/branch-names versions prior to 7.0.7

Description The tj-actions/branch-names GitHub Actions improperly references the github.event.pull request.head.ref and github.head ref context variables within a GitHub Actions run step. The head ref variable is the branch name and can be used to execute arbitrary code using a specially crafted branch name. An attacker can use this issue to steal secrets from or abuse GITHUB TOKEN permissions.

Recommendations For versions prior to 7.0.7, upgrade to version 7.0.7 to address the issue. As a temporary workaround, consider restricting the use of the github.event.pull request.head.ref and github.head ref context variables within GitHub Actions run steps to minimize the risk of exploitation. Avoid using specially crafted branch names that could be used to inject arbitrary code.