CVE-2023-26493
Published: 27 March 2023
Summary
CVE-2023-26493 is a high-severity Injection (CWE-74) vulnerability in Cocos Cocos-Engine. Its CVSS base score is 8.1 (High).
Operationally, ranked in the top 6.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
Cocos Engine, an open-source framework for 2D and 3D real-time rendering, contained a command-injection vulnerability in its GitHub Actions workflow file web-interface-check.yml. The workflow was triggered on pull-request creation or update and unsafely interpolated the attacker-controlled expression ${{ github.head_ref }} directly into shell commands, enabling arbitrary command execution on the GitHub-hosted runner.
An authenticated contributor able to open or update a pull request against the repository could therefore execute arbitrary commands, exfiltrate the GITHUB_TOKEN and other secrets, and modify repository contents. The issue is tracked as CWE-74 and CWE-77 and received a CVSS 3.1 score of 8.1.
The GitHub Security Lab advisory and the project’s own commit history indicate that the vulnerable workflow has been removed entirely from the repository; consequently, downstream users of Cocos Engine are not required to take any remediation steps. The associated EPSS score has remained flat at 0.1107 since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-30293
Vulnerability details
Cocos Engine is an open-source framework for building 2D & 3D real-time rendering and interactive content. In the github repo for Cocos Engine the `web-interface-check.yml` was subject to command injection. The `web-interface-check.yml` was triggered when a pull request was opened…
more
or updated and contained the user controllable field `(${{ github.head_ref }} – the name of the fork’s branch)`. This would allow an attacker to take over the GitHub Runner and run custom commands (potentially stealing secrets such as GITHUB_TOKEN) and altering the repository. The workflow has since been removed for the repository. There are no actions required of users.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Developer assessments and testing (including injection-focused techniques) identify improper neutralization of special elements, and the verifiable flaw remediation corrects them pre-deployment.
Identifies indicators of injection attacks (command, SQL, LDAP, etc.) via anomaly and attack monitoring.