CVE-2023-26493

Cocos Engine is an open-source framework for building 2D & 3D real-time rendering and interactive content. In the github repo for Cocos Engine the `web-interface-check.yml` was subject to command injection. The `web-interface-check.yml` was triggered when a pull request was opened or updated and contained the user controllable field `(${{ github.head_ref }} – the name of the fork’s branch)`. This would allow an attacker to take over the GitHub Runner and run custom commands (potentially stealing secrets such as GITHUB_TOKEN) and altering the repository. The workflow has since been removed for the repository. There are no actions required of users.
Configurations

Configuration 1 (hide)

cpe:2.3:a:cocos:cocos-engine:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2023-03-27 22:15

Updated : 2024-02-28 20:13


NVD link : CVE-2023-26493

Mitre link : CVE-2023-26493

CVE.ORG link : CVE-2023-26493


JSON object : View

Products Affected

cocos

  • cocos-engine
CWE
CWE-77

Improper Neutralization of Special Elements used in a Command ('Command Injection')

CWE-74

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')