CVE-2023-31128
Published: 26 May 2023
Summary
CVE-2023-31128 is a high-severity OS Command Injection (CWE-78) vulnerability in Nextcloud Cookbook. Its CVSS base score is 8.1 (High).
Operationally, ranked in the top 5.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
NextCloud Cookbook, a recipe management application for NextCloud, contains a command-injection vulnerability in its GitHub Actions workflow file pull-checks.yml. The workflow directly interpolates the attacker-controlled github.head_ref value into a shell command without sanitization, enabling CWE-78 injection when a pull request is processed. The flaw existed prior to commits a46d9855 (master) and 489bb744 (main-0.9.x) and affected only the repository’s CI infrastructure, not deployed instances of the app.
An attacker who can open a pull request against a vulnerable fork or the upstream repository can supply a head_ref containing shell metacharacters (for example, zzz";echo${IFS}"hello";#). Because the workflow’s permissions were not restricted, successful injection grants the ability to execute arbitrary commands in the runner context, potentially leading to repository write access, secret exfiltration, or further lateral movement within the GitHub Actions environment.
The project’s security advisory GHSA-c5pc-mf2f-xq8h and the linked commits document the remediation, which replaces the untrusted input with a safe reference. The accompanying GitHub Security Lab reference on untrusted workflow inputs provides the general hardening guidance applied in the fix. The associated EPSS score reached a peak of 0.1532, indicating measurable post-disclosure exploitation interest.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-35452
Vulnerability details
NextCloud Cookbook is a recipe library app. Prior to commit a46d9855 on the `master` branch and commit 489bb744 on the `main-0.9.x` branch, the `pull-checks.yml` workflow is vulnerable to command injection attacks because of using an untrusted `github.head_ref` field. The `github.head_ref`…
more
value is an attacker-controlled value. Assigning the value to `zzz";echo${IFS}"hello";#` can lead to command injection. Since the permission is not restricted, the attacker has a write-access to the repository. This issue is fixed in commit a46d9855 on the `master` branch and commit 489bb744 on the `main-0.9.x` branch. There is no risk for the user of the app within the NextCloud server. This only affects the main repository and possible forks of it. Those who have forked the NextCloud Cookbook repository should make sure their forks are on the latest version to prevent code injection attacks and similar.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.