CVE-2024-8156

Name of the Vulnerable Software and Affected Versions significant-gravitas/autogpt versions up to and including the latest version

Description A command injection issue exists due to the insecure use of untrusted user input github.head.ref in the workflow-checker.yml workflow. This allows an attacker to inject arbitrary commands, potentially leading to reverse shell access or theft of sensitive tokens and keys. An attacker can exploit this by creating a branch name with a malicious payload and opening a pull request.

Recommendations For versions up to and including the latest version, update to a version that fixes this issue to prevent command injection attacks. As a temporary workaround, consider restricting the use of the github.head.ref input to minimize the risk of exploitation.