We found results for “”
CVE-2022-35954
Good to know:
Date: August 13, 2022
The GitHub Actions ToolKit provides a set of packages to make creating actions easier. The "core.exportVariable" function uses a well known delimiter that attackers can use to break out of that specific variable and assign values to other arbitrary variables. Workflows that write untrusted values to the "GITHUB_ENV" file may cause the path or other environment variables to be modified without the intention of the workflow or action author. Users should upgrade to "@actions/core v1.9.1". If you are unable to upgrade the "@actions/core" package, you can modify your action to ensure that any user input does not contain the delimiter "_GitHubActionsFileCommandDelimeter_" before calling "core.exportVariable".
Language: TYPE_SCRIPT
Severity Score
Related Resources (5)
Severity Score
Weakness Type (CWE)
Top Fix
CVSS v3.1
| Base Score: |
|
|---|---|
| Attack Vector (AV): | NETWORK |
| Attack Complexity (AC): | LOW |
| Privileges Required (PR): | LOW |
| User Interaction (UI): | NONE |
| Scope (S): | CHANGED |
| Confidentiality (C): | NONE |
| Integrity (I): | LOW |
| Availability (A): | NONE |
Vulnerabilities
Projects
Contact Us


