Upgrade tj-actions/branch-names GitHub Action to Fix Security Vulnerability

CVECVE-2023-49291
CVSScvssV3_1: 9.3
SourceCVE-2023-49291

The tj-actions/branch-names GitHub Action is a popular tool used to retrieve branch and tag names in GitHub workflows. Unfortunately, a security vulnerability was discovered that could allow attackers to abuse the GITHUB_TOKEN permissions and steal secrets.

The issue arises from how the action references branch name context variables. By crafting a specially named branch, it’s possible to execute arbitrary code within a GitHub Actions run step. This gives an attacker access to secrets and permissions of the GITHUB_TOKEN.

To carry out an attack, a malicious actor would need to push a branch with a name that exploits how the context variables are referenced. This could then allow them to steal secrets like API keys or access private code and data in repositories.

The developers have addressed the problem in version 7.0.7 of the tj-actions/branch-names action. It’s important that any users upgrade to the latest version as soon as possible to protect themselves from this security vulnerability. Always make sure your GitHub Actions and dependencies are updated regularly to stay ahead of vulnerabilities.

If upgrading isn’t possible right away, consider temporarily disabling workflows using this action until you can update. Taking proactive steps like upgrading and keeping software updated is the best way to defend against exploits of known issues.

References