Skip to content

Shell-injection through Action input

Low
ericcornelissen published GHSA-hgx2-4pp9-357g Oct 24, 2020

Package

No package listed

Affected versions

<= 1.0.0

Patched versions

1.0.1

Description

Impact

(Shell injection) An attacker can execute arbitrary (*) shell commands if they can control the value of the tag input or manage to alter the value of the GITHUB_REF environment variable.

Patches

The problem has been patched in v1.0.1.

Workarounds

If you don't use the tag input you are most likely safe. The GITHUB_REF environment variable is protected by the GitHub Actions environment so attacks from there should be impossible.

If you must use the tag input and cannot upgrade to > 1.0.0 make sure that the value is not controlled by another Action.


(*): within the scope of what is allowed by GitHub Actions.

Severity

Low

CVE ID

CVE-2020-15272

Weaknesses

No CWEs