Vulnerability Details CVE-2023-26493
Cocos Engine is an open-source framework for building 2D & 3D real-time rendering and interactive content. In the github repo for Cocos Engine the `web-interface-check.yml` was subject to command injection. The `web-interface-check.yml` was triggered when a pull request was opened or updated and contained the user controllable field `(${{ github.head_ref }} – the name of the fork’s branch)`. This would allow an attacker to take over the GitHub Runner and run custom commands (potentially stealing secrets such as GITHUB_TOKEN) and altering the repository. The workflow has since been removed for the repository. There are no actions required of users.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.012
EPSS Ranking 78.3%
CVSS Severity
CVSS v3 Score 8.1
References
- https://github.com/cocos/cocos-engine/blob/2362df28a4b3016dbda804899041279701929728/.github/workflows/web-interface-check.yml
- https://github.com/cocos/cocos-engine/commit/6d06aefa2684e20da79e7ceaf41f728c1a8d7a41
- https://securitylab.github.com/advisories/GHSL-2023-027_Engine_for_Cocos_Creator/
- https://github.com/cocos/cocos-engine/blob/2362df28a4b3016dbda804899041279701929728/.github/workflows/web-interface-check.yml
- https://github.com/cocos/cocos-engine/commit/6d06aefa2684e20da79e7ceaf41f728c1a8d7a41
- https://securitylab.github.com/advisories/GHSL-2023-027_Engine_for_Cocos_Creator/
Products affected by CVE-2023-26493
-
cpe:2.3:a:cocos:cocos-engine:*