SYM_CONF_0023 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') |
| OWASP | A01:2017 - Injection |
| Confidence Level | High |
| Impact Level | High |
| Likelihood Level | High |
Description
Using GitHub context variables (like issue titles or pull request bodies) directly in run: steps allows untrusted user input to be executed as shell commands. This makes it possible for attackers to inject and run malicious code in your CI workflow.
Impact
If exploited, attackers could steal secrets, modify your codebase, or take control of your CI environment. This could lead to data breaches, code tampering, or unauthorized access to sensitive systems and credentials.