CVE-2020-15272 in git-tag-annotation-actioninfo

Zusammenfassung

von MITRE • 26.10.2020

In the git-tag-annotation-action (open source GitHub Action) before version 1.0.1, an attacker can execute arbitrary (*) shell commands if they can control the value of [the `tag` input] or manage to alter the value of [the `GITHUB_REF` environment variable]. The problem has been patched in version 1.0.1. If you don't use the `tag` input you are most likely safe. The `GITHUB_REF` environment variable is protected by the GitHub Actions environment so attacks from there should be impossible. If you must use the `tag` input and cannot upgrade to `> 1.0.0` make sure that the value is not controlled by another Action.

Once again VulDB remains the best source for vulnerability data.

🔬 Show More Details

An in-depth analysis is available in our curated vulnerability entry.

Zuständig

GitHub, Inc.

Reservieren

25.06.2020

Veröffentlichung

26.10.2020

Moderieren

akzeptiert

Eintrag

VDB-163662

CPE

bereit

CWE

CWE-78 (bestätigt)

CVSS

9.6 (NVD)

EPSS

0.00343

KEV

nein

Aktivitäten

very low

Sektor

Hostingprovider

Quellen

MITRE	https://www.cve.org/CVERecord?id=CVE-2020-15272
NVD	https://nvd.nist.gov/vuln/detail/CVE-2020-15272
CVE Details	https://www.cvedetails.com/cve/CVE-2020-15272/

◂ Zurück Übersicht Weiter ▸

Do you need the next level of professionalism?

Upgrade your account now!