CVE-2020-15228

🗓️ 01 Oct 2020 18:12:15Reported by [email protected]Type

`Vulnerability in @actions/core npm module allows unauthorized modification of path and environment variables through stdout communication. Users urged to update to v1.2.6 or later and replace set-env and add-path commands in workflows.

AI Insights are available for you today

Leverage the power of AI to quickly understand vulnerabilities, impacts, and exploitability

Reporter	Title	Published	Views	Family All 9
OSV	Environment Variable Injection in GitHub Actions	1 Oct 202017:16	–	osv
Github Security Blog	Environment Variable Injection in GitHub Actions	1 Oct 202017:16	–	github
GitLab Advisory Database	Improper Input Validation	1 Oct 202000:00	–	gitlab
Veracode	Environment Variables Tampering	2 Oct 202004:37	–	veracode
Cvelist	CVE-2020-15228 Environment Variable Injection in GitHub Actions	1 Oct 202017:25	–	cvelist
Prion	Design/Logic Flaw	1 Oct 202018:15	–	prion
GithubExploit	Exploit for Command Injection in Toolkit Project Toolkit	12 Nov 202011:59	–	githubexploit
CVE	CVE-2020-15228	1 Oct 202018:15	–	cve
IBM Security Bulletins	Security Bulletin: IBM Cloud Pak for Network Automation 2.7.3 addresses multiple security vulnerabilities	26 Mar 202504:10	–	ibm

Nvd

Node

toolkit_project toolkitRange<1.2.6node.js

Source	Link
packetstormsecurity	www.packetstormsecurity.com/files/159794/GitHub-Widespread-Injection.html
github	www.github.com/actions/toolkit/security/advisories/GHSA-mfwh-5m23-j46w

Transform Your Security Services

Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.

Book a live demo

01 Oct 2020 18:15Current

CVSS24

CVSS35

EPSS0.00322