CVE-2023-28430

Published on: Not Yet Published

Last Modified on: 04/03/2023 06:38:00 PM UTC

CVE-2023-28430 - advisory for GHSA-r9f9-r8jx-gg53

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Certain versions of React-native-onesignal from Onesignal contain the following vulnerability:

OneSignal is an email, sms, push notification, and in-app message service for mobile apps.The Zapier.yml workflow is triggered on issues (types: [closed]) (i.e., when an Issue is closed). The workflow starts with full write-permissions GitHub repository token since the default workflow permissions on Organization/Repository level are set to read-write. This workflow runs the following step with data controlled by the comment `(${{ github.event.issue.title }} – the full title of the Issue)`, allowing an attacker to take over the GitHub Runner and run custom commands, potentially stealing any secret (if used), or altering the repository. This issue was found with CodeQL using javascript’s Expression injection in Actions query. This issue has been addressed in the repositories github action. No actions are required by users. This issue is also tracked as `GHSL-2023-051`.

CVE-2023-28430 has been assigned by [email protected] to track the vulnerability - currently rated as HIGH severity.
Affected Vendor/Software: OneSignal - react-native-onesignal version = < 4.5.1

CVSS3 Score: 8.1 - HIGH

Attack Vector ^ⓘ	Attack Complexity	Privileges Required	User Interaction
NETWORK	LOW	LOW	NONE
Scope	Confidentiality Impact	Integrity Impact	Availability Impact
UNCHANGED	HIGH	HIGH	NONE

CVE References

Description	Tags ^ⓘ	Link
GHSL-2023-051: Command Injection in React Native OneSignal SDK - CVE-2023-28430 \| GitHub Security Lab	securitylab.github.com text/html	MISC securitylab.github.com/advisories/GHSL-2023-051_React_Native_OneSignal_SDK/
Merge pull request #1497 from OneSignal/zapier-fix · OneSignal/[email protected] · GitHub	github.com text/html	MISC github.com/OneSignal/react-native-onesignal/commit/4a66f4237fb51dcc2236889038d488cd49b0f433
Merge pull request #1474 from OneSignal/actions/add_release_drafter · OneSignal/[email protected] · GitHub	github.com text/html	MISC github.com/OneSignal/react-native-onesignal/commit/4e43bda4ce1eb395f36bb8a5640002523c051085

By selecting these links, you may be leaving CVEreport webspace. We have provided these links to other websites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other websites that are more appropriate for your purpose. CVEreport does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, CVEreport does not endorse any commercial products that may be mentioned on these sites. Please address comments about any linked pages to [email protected].

There are currently no QIDs associated with this CVE

Known Affected Configurations (CPE V2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Application	Onesignal	React-native-onesignal	All	All	All	All

cpe:2.3:a:onesignal:react-native-onesignal:*:*:*:*:*:*:*:*:

No vendor comments have been submitted for this CVE

Social Mentions

Source	Title	Posted (UTC)
@CVEreport	CVE-2023-28430 : OneSignal is an email, sms, push notification, and in-app message service for mobile apps.The Zapi… twitter.com/i/web/status/1…	2023-03-27 22:13:55
/r/netcve	CVE-2023-28430	2023-03-27 23:38:51