Cyber Resilience

CVE-2023-31128

HighPublic PoCRCE

Published: 26 May 2023

Published
26 May 2023
Modified
14 January 2025
KEV Added
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
EPSS Score 0.1286 94.2th percentile
Risk Priority 24 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-31128 is a high-severity OS Command Injection (CWE-78) vulnerability in Nextcloud Cookbook. Its CVSS base score is 8.1 (High).

Operationally, ranked in the top 5.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

NextCloud Cookbook, a recipe management application for NextCloud, contains a command-injection vulnerability in its GitHub Actions workflow file pull-checks.yml. The workflow directly interpolates the attacker-controlled github.head_ref value into a shell command without sanitization, enabling CWE-78 injection when a pull request is processed. The flaw existed prior to commits a46d9855 (master) and 489bb744 (main-0.9.x) and affected only the repository’s CI infrastructure, not deployed instances of the app.

An attacker who can open a pull request against a vulnerable fork or the upstream repository can supply a head_ref containing shell metacharacters (for example, zzz";echo${IFS}"hello";#). Because the workflow’s permissions were not restricted, successful injection grants the ability to execute arbitrary commands in the runner context, potentially leading to repository write access, secret exfiltration, or further lateral movement within the GitHub Actions environment.

The project’s security advisory GHSA-c5pc-mf2f-xq8h and the linked commits document the remediation, which replaces the untrusted input with a safe reference. The accompanying GitHub Security Lab reference on untrusted workflow inputs provides the general hardening guidance applied in the fix. The associated EPSS score reached a peak of 0.1532, indicating measurable post-disclosure exploitation interest.

EU & UK References

Vulnerability details

NextCloud Cookbook is a recipe library app. Prior to commit a46d9855 on the `master` branch and commit 489bb744 on the `main-0.9.x` branch, the `pull-checks.yml` workflow is vulnerable to command injection attacks because of using an untrusted `github.head_ref` field. The `github.head_ref`…

more

value is an attacker-controlled value. Assigning the value to `zzz";echo${IFS}"hello";#` can lead to command injection. Since the permission is not restricted, the attacker has a write-access to the repository. This issue is fixed in commit a46d9855 on the `master` branch and commit 489bb744 on the `main-0.9.x` branch. There is no risk for the user of the app within the NextCloud server. This only affects the main repository and possible forks of it. Those who have forked the NextCloud Cookbook repository should make sure their forks are on the latest version to prevent code injection attacks and similar.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

nextcloud
cookbook
0.9.0 — 0.9.19

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-78

Platform-independent apps typically execute inside a managed runtime or sandbox that restricts direct OS command execution, reducing the ability to exploit OS command injection.

addresses: CWE-78

Validates inputs to block special elements that would alter OS command execution.

References