3 matches found
CVE-2022-29220
creationtimestamp| type| source ---|---|--- 2022-05-31 20:23:50+00:00| seen| https://t.me/cibsecurity/43572...
CVE-2022-29220 No verification of commits origin in github-action-merge-dependabot
github-action-merge-dependabot is an action that automatically approves and merges dependabot pull requests PRs. Prior to version 3.2.0, github-action-merge-dependabot does not check if a commit created by dependabot is verified with the proper GPG key. There is just a check if the actor is set t...
CVE-2022-29220
CVE-2022-29220 concerns the github-action-merge-dependabot GitHub Action. Prior to version 3.2.0, it does not verify that commits created by dependabot are signed with the correct GPG key; it only checks that the PR actor is dependabot[bot]. This enables a threat actor with access to the pipeline...