Cocos Engine
CVE-2023-26493
HIGH
Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionNVD
Cocos Engine is an open-source framework for building 2D & 3D real-time rendering and interactive content. In the github repo for Cocos Engine the web-interface-check.yml was subject to command injection. The web-interface-check.yml was triggered when a pull request was opened or updated and contained the user controllable field (${{ github.head_ref }} - the name of the fork’s branch). This would allow an attacker to take over the GitHub Runner and run custom commands (potentially stealing secrets such as GITHUB_TOKEN) and altering the repository. The workflow has since been removed for the repository. There are no actions required of users.
AnalysisAI
Cocos Engine is an open-source framework for building 2D & 3D real-time rendering and interactive content. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
Technical ContextAI
This vulnerability is classified under CWE-74. Cocos Engine is an open-source framework for building 2D & 3D real-time rendering and interactive content. In the github repo for Cocos Engine the web-interface-check.yml was subject to command injection. The web-interface-check.yml was triggered when a pull request was opened or updated and contained the user controllable field (${{ github.head_ref }} - the name of the fork’s branch). This would allow an attacker to take over the GitHub Runner and run custom commands (potentially stealing secrets such as GITHUB_TOKEN) and altering the repository. The workflow has since been removed for the repository. There are no actions required of users. Affected products include: Cocos Cocos-Engine.
RemediationAI
A vendor patch is available. Apply the latest security update as soon as possible. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.
Same technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today