Improper Input Validation Affecting @actions/core package, versions <1.2.6
Snyk CVSS
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JS-ACTIONSCORE-1015402
- published 2 Oct 2020
- disclosed 2 Oct 2020
- credit Unknown
Introduced: 2 Oct 2020
CVE-2020-15228 Open this link in a new tabHow to fix?
Upgrade @actions/core to version 1.2.6 or higher.
Overview
@actions/core is a package that provides core functions for setting results, logging, registering secrets and exporting variables across actions.
Affected versions of this package are vulnerable to Improper Input Validation. addPath and exportVariable functions communicate with the Actions Runner over stdout by generating a string in a specific format. Workflows that log untrusted data to stdout may invoke these commands, resulting in the path or environment variables being modified without the intention of the workflow or action author. The runner will release an update that disables the set-env and add-path workflow commands in the near future.