act: Unrestricted set-env and add-path command processing enables environment injection

Summary act unconditionally processes the deprecated ::set-env:: and ::add-path:: workflow commands, which GitHub Actions disabled in October 2020 CVE-2020-15228, GHSA-mfwh-5m23-j46w due to environment injection risks. When a workflow step echoes untrusted data to stdout, an attacker can inject...

Bitdefender GravityZone 代码问题漏洞

Bitdefender GravityZone is a scanning software from Bitdefender Romania. A code issue vulnerability exists in Bitdefender GravityZone that stems from an untrustworthy data deserialization vulnerability in the console's message handling component that allows an attacker to pass insecure commands t...

setroubleshoot-plugins: insecure commands.getoutput use in the allow_execstack plugin

A shell command injection flaw was found in the way the setroubleshoot allowexecstack plugin executed external commands. A local attacker able to trigger an execstack SELinux denial could use this flaw to execute arbitrary code with root privileges...