Cyber Resilience

CVE-2023-26493

HighPublic PoCRCE

Published: 27 March 2023

Published
27 March 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.1107 93.6th percentile
Risk Priority 23 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-26493 is a high-severity Injection (CWE-74) vulnerability in Cocos Cocos-Engine. Its CVSS base score is 8.1 (High).

Operationally, ranked in the top 6.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

Cocos Engine, an open-source framework for 2D and 3D real-time rendering, contained a command-injection vulnerability in its GitHub Actions workflow file web-interface-check.yml. The workflow was triggered on pull-request creation or update and unsafely interpolated the attacker-controlled expression ${{ github.head_ref }} directly into shell commands, enabling arbitrary command execution on the GitHub-hosted runner.

An authenticated contributor able to open or update a pull request against the repository could therefore execute arbitrary commands, exfiltrate the GITHUB_TOKEN and other secrets, and modify repository contents. The issue is tracked as CWE-74 and CWE-77 and received a CVSS 3.1 score of 8.1.

The GitHub Security Lab advisory and the project’s own commit history indicate that the vulnerable workflow has been removed entirely from the repository; consequently, downstream users of Cocos Engine are not required to take any remediation steps. The associated EPSS score has remained flat at 0.1107 since disclosure.

EU & UK References

Vulnerability details

Cocos Engine is an open-source framework for building 2D & 3D real-time rendering and interactive content. In the github repo for Cocos Engine the `web-interface-check.yml` was subject to command injection. The `web-interface-check.yml` was triggered when a pull request was opened…

more

or updated and contained the user controllable field `(${{ github.head_ref }} – the name of the fork’s branch)`. This would allow an attacker to take over the GitHub Runner and run custom commands (potentially stealing secrets such as GITHUB_TOKEN) and altering the repository. The workflow has since been removed for the repository. There are no actions required of users.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

cocos
cocos-engine
≤ 2023-02-20

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-74

Developer assessments and testing (including injection-focused techniques) identify improper neutralization of special elements, and the verifiable flaw remediation corrects them pre-deployment.

addresses: CWE-74

Identifies indicators of injection attacks (command, SQL, LDAP, etc.) via anomaly and attack monitoring.

References