CVE-2023-34111
HIGHtdengine/grafana < 2023-05-22 - Remote Code Execution via GitHub Workflow Command Injection
Title source: llmDescription
The `Release PR Merged` workflow in the github repo taosdata/grafanaplugin is subject to a command injection vulnerability which allows for arbitrary code execution within the github action context due to the insecure usage of `${{ github.event.pull_request.title }}` in a bash command within the GitHub workflow. Attackers can inject malicious commands which will be executed by the workflow. This happens because `${{ github.event.pull_request.title }}` is directly passed to bash command on like 25 of the workflow. This may allow an attacker to gain access to secrets which the github action has access to or to otherwise make use of the compute resources.
References (3)
Core 3
Core References
Exploit, Third Party Advisory x_refsource_confirm
https://github.com/taosdata/grafanaplugin/security/advisories/GHSA-23wp-p848-hcgr
Product x_refsource_misc
https://github.com/taosdata/grafanaplugin/blob/master/.github/workflows/release-pr-merged.yaml#L25
Exploit, Third Party Advisory x_refsource_misc
https://securitylab.github.com/research/github-actions-untrusted-input/
Scores
CVSS v3
8.1
EPSS
0.0405
EPSS Percentile
89.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
total
Details
CWE
CWE-20
CWE-77
Status
published
Products (1)
tdengine/grafana
< 2023-05-22
Published
Jun 06, 2023
Tracked Since
Feb 18, 2026