{"vulnerability": "CVE-2023-52137", "sightings": [{"uuid": "eaa4d382-9256-426c-9c0e-ce95fad34baf", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2023-52137", "type": "seen", "source": "https://t.me/ctinow/170892", "content": "https://ift.tt/v3Un1ck\nCVE-2023-52137 | tj-actions verify-changed-files up to 16.x input validation (GHSA-ghm2-rq8q-wrhc)", "creation_timestamp": "2024-01-21T17:46:07.000000Z"}, {"uuid": "53762caa-3c9b-47bf-9c29-c416fadb18a5", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2023-52137", "type": "seen", "source": "https://t.me/ctinow/160624", "content": "https://ift.tt/71hwzuC\nCVE-2023-52137", "creation_timestamp": "2023-12-29T18:26:36.000000Z"}, {"uuid": "0dda5307-89c9-4340-bba0-f3bef476e4c5", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2023-52137", "type": "seen", "source": "https://t.me/ctinow/166070", "content": "https://ift.tt/hK7DFao\nCVE-2023-52137 Exploit", "creation_timestamp": "2024-01-10T19:17:12.000000Z"}, {"uuid": "67d8645a-c66d-4ccf-8190-21d7e8745348", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2023-52137", "type": "published-proof-of-concept", "source": "https://t.me/cibsecurity/74003", "content": "\u203c\ufe0fCVE-2023-52137\u203c\ufe0f\n\nThe tjactionsverifychangedfileshttpsgithub.comtjactionsverifychangedfiles action allows for command injection in changed filenames, allowing an attacker to execute arbitrary code and potentially leak secrets. The verifychangedfileshttpsgithub.comtjactionsverifychangedfiles workflow returns the list of files changed within a workflow execution. This could potentially allow filenames that contain special characters such as  which can be used by an attacker to take over the GitHub Runnerhttpsdocs.github.comenactionsusinggithubhostedrunnersaboutgithubhostedrunners if the output value is used in a raw fashion thus being directly replaced before execution inside a run block. By running custom commands, an attacker may be able to steal secrets such as GITHUBTOKEN if triggered on other events than pullrequest.  This has been patched in versions 17httpsgithub.comtjactionsverifychangedfilesreleasestagv17 and 17.0.0httpsgithub.comtjactionsverifychangedfilesreleasestagv17.0.0 by enabling safeoutput by default and returning filename paths escaping special characters for bash environments.\n\n\ud83d\udcd6 Read more\n\nVia \"National Vulnerability Database\"", "creation_timestamp": "2023-12-30T01:43:07.000000Z"}]}