CVE-2023-34111

Name: CVE-2023-34111
Creator: NVD / NIST
Published: 2023-06-06T17:15:15.21+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

CRITICALCVSS 9.8/10EPSS 4.05%

Last modified Jun 17, 2026

CVE-2023-34111 is a critical-severity vulnerability rated 9.8/10 on the CVSS scale. The `Release PR Merged` workflow in the github repo taosdata/grafanaplugin is subject to a command injection vulnerability which allows for arbitrary code execution within the github action context due to the insecure usage of `${{ github.event.pull_request.title }}` in a bash command within the GitHub workflow. Attackers can inject malicious commands which will be executed by the workflow. EPSS estimates a 4.05% chance of exploitation in the next 30 days.

Description

The `Release PR Merged` workflow in the github repo taosdata/grafanaplugin is subject to a command injection vulnerability which allows for arbitrary code execution within the github action context due to the insecure usage of `${{ github.event.pull_request.title }}` in a bash command within the GitHub workflow. Attackers can inject malicious commands which will be executed by the workflow. This happens because `${{ github.event.pull_request.title }}` is directly passed to bash command on like 25 of the workflow. This may allow an attacker to gain access to secrets which the github action has access to or to otherwise make use of the compute resources.

Metrics

CVSS 3.1

9.8/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Probability

4.05%

89.3th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

Vendor	Product	Versions
Tdengine	Grafana	<= 2023-05-22

References

https://github.com/taosdata/grafanaplugin/blob/master/.github/workflows/release-pr-merged.yaml#L25Product
https://github.com/taosdata/grafanaplugin/security/advisories/GHSA-23wp-p848-hcgrExploit, Third Party Advisory
https://securitylab.github.com/research/github-actions-untrusted-input/Exploit, Third Party Advisory
https://github.com/taosdata/grafanaplugin/blob/master/.github/workflows/release-pr-merged.yaml#L25Product
https://github.com/taosdata/grafanaplugin/security/advisories/GHSA-23wp-p848-hcgrExploit, Third Party Advisory
https://securitylab.github.com/research/github-actions-untrusted-input/Exploit, Third Party Advisory

Timeline

Published: Jun 6, 2023
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2023-34111?

How severe is CVE-2023-34111?

CVE-2023-34111 has a CVSS score of 9.8/10 (CRITICAL severity). The EPSS model estimates a 4.05% probability of exploitation in the next 30 days.

How do I fix CVE-2023-34111?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2023-34111?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST