
We found results for “”
CVE-2022-35954
Good to know:

Date: August 13, 2022
The GitHub Actions ToolKit provides a set of packages to make creating actions easier. The "core.exportVariable" function uses a well known delimiter that attackers can use to break out of that specific variable and assign values to other arbitrary variables. Workflows that write untrusted values to the "GITHUB_ENV" file may cause the path or other environment variables to be modified without the intention of the workflow or action author. Users should upgrade to "@actions/core v1.9.1". If you are unable to upgrade the "@actions/core" package, you can modify your action to ensure that any user input does not contain the delimiter "_GitHubActionsFileCommandDelimeter_" before calling "core.exportVariable".
Language: TYPE_SCRIPT
Severity Score
Related Resources (5)
Severity Score
Weakness Type (CWE)
Top Fix

CVSS v3.1
Base Score: |
|
---|---|
Attack Vector (AV): | NETWORK |
Attack Complexity (AC): | LOW |
Privileges Required (PR): | LOW |
User Interaction (UI): | NONE |
Scope (S): | CHANGED |
Confidentiality (C): | NONE |
Integrity (I): | LOW |
Availability (A): | NONE |