You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The GitHub Actions ToolKit provides a set of packages to make creating actions easier. The core.exportVariable function uses a well known delimiter that attackers can use to break out of that specific variable and assign values to other arbitrary variables. Workflows that write untrusted values to the GITHUB_ENV file may cause the path or other environment variables to be modified without the intention of the workflow or action author. Users should upgrade to @actions/core v1.9.1. If you are unable to upgrade the @actions/core package, you can modify your action to ensure that any user input does not contain the delimiter _GitHubActionsFileCommandDelimeter_ before calling core.exportVariable.
CVE-2022-35954 - Medium Severity Vulnerability
Vulnerable Library - core-1.2.6.tgz
Actions core lib
Library home page: https://registry.npmjs.org/@actions/core/-/core-1.2.6.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/@actions/core/package.json
Dependency Hierarchy:
Found in HEAD commit: b946ad8d4f25043e02c690fc58b68b199f903484
Found in base branch: master
Vulnerability Details
The GitHub Actions ToolKit provides a set of packages to make creating actions easier. The
core.exportVariable
function uses a well known delimiter that attackers can use to break out of that specific variable and assign values to other arbitrary variables. Workflows that write untrusted values to theGITHUB_ENV
file may cause the path or other environment variables to be modified without the intention of the workflow or action author. Users should upgrade to@actions/core v1.9.1
. If you are unable to upgrade the@actions/core
package, you can modify your action to ensure that any user input does not contain the delimiter_GitHubActionsFileCommandDelimeter_
before callingcore.exportVariable
.Publish Date: 2022-08-15
URL: CVE-2022-35954
CVSS 3 Score Details (5.0)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35954
Release Date: 2022-08-15
Fix Resolution: 1.9.1
Step up your Open Source Security Game with Mend here
The text was updated successfully, but these errors were encountered: