Delimiter injection vulnerability in @actions/core exportVariable
CVE-2022-35954

5MEDIUM

Key Information:

Vendor: Actions
Status: Toolkit
Vendor: CVE Published:; 15 August 2022

What is CVE-2022-35954?

The GitHub Actions ToolKit provides a set of packages to make creating actions easier. The core.exportVariable function uses a well known delimiter that attackers can use to break out of that specific variable and assign values to other arbitrary variables. Workflows that write untrusted values to the GITHUB_ENV file may cause the path or other environment variables to be modified without the intention of the workflow or action author. Users should upgrade to @actions/core v1.9.1. If you are unable to upgrade the @actions/core package, you can modify your action to ensure that any user input does not contain the delimiter _GitHubActionsFileCommandDelimeter_ before calling core.exportVariable.

Affected Version(s)

toolkit <= 1.9.0

References

https://github.com/actions/toolkit/security/advisories/GH...

x_refsource_CONFIRM

https://github.com/actions/toolkit/commit/4beda9cbc00ba6e...

x_refsource_MISC

CVSS V3.1

Score:

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 15, 2022
Vulnerability Reserved
Jul 15, 2022

JSON