21 matches found
Supply Chain Compromise of Third-Party tj-actions/changed-files (CVE-2025-30066) and reviewdog/action-setup@v1 (CVE-2025-30154)
A popular third-party GitHub Action, tj-actions/changed-files tracked as CVE-2025-30066link is external, was compromised. tj-actions/changed-files is designed to detect which files have changed in a pull request or commit. The supply chain compromise allows for information disclosure of secrets...
Malicious Code Hits ‘tj-actions/changed-files’ in 23,000 GitHub Repos
GitHub security alert: Malicious code found in ‘tj-actions/changed-files,’ impacting 23K+ repos. Learn how to check, remove, and protect…...
tj-actions changed-files through 45.0.7 allows remote attackers to discover secrets by reading actions logs.
Summary A supply chain attack compromised the tj-actions/changed-files GitHub Action, impacting over 23,000 repositories. Attackers retroactively modified multiple version tags to reference a malicious commit, exposing CI/CD secrets in workflow logs. The vulnerability existed between March 14 and...
CVE-2025-30066
tj-actions changed-files before 46 allows remote attackers to discover secrets by reading actions logs. The tags v1 through v45.0.7 were affected on 2025-03-14 and 2025-03-15 because they were modified by a threat actor to point at commit 0e58ed8, which contained malicious updateFeatures code...
changed-files 安全漏洞
changed-files is tj-actions open source for keeping track of all changed files and directories associated with a target branch, previous commits, or relative paths returned from the project root for the last remote commit. A security vulnerability exists in versions prior to changed-files v46,...
CVE-2025-30066
tj-actions changed-files before 46 allows remote attackers to discover secrets by reading actions logs. The tags v1 through v45.0.7 were affected on 2025-03-14 and 2025-03-15 because they were modified by a threat actor to point at commit 0e58ed8, which contained malicious updateFeatures code...
CVE-2025-30066
tj-actions changed-files before 46 allows remote attackers to discover secrets by reading actions logs. The tags v1 through v45.0.7 were affected on 2025-03-14 and 2025-03-15 because they were modified by a threat actor to point at commit 0e58ed8, which contained malicious updateFeatures code...
VulnCheck KEV: CVE-2025-30066
tj-actions/changed-files GitHub Action contains an embedded malicious code vulnerability that allows a remote attacker to discover secrets by reading Github Actions Workflow Logs. These secrets may include, but are not limited to, valid AWS access keys, GitHub personal access tokens PATs, npm...
GHSA-MCPH-M25J-8J63 tj-actions/changed-files has Potential Actions command injection in output filenames (GHSL-2023-271)
Summary The tj-actions/changed-files workflow allows for command injection in changed filenames, allowing an attacker to execute arbitrary code and potentially leak secrets. Details The changed-files action returns a list of files changed in a commit or pull request which provides an escapejson...
tj-actions/changed-files has Potential Actions command injection in output filenames (GHSL-2023-271)
Summary The tj-actions/changed-files workflow allows for command injection in changed filenames, allowing an attacker to execute arbitrary code and potentially leak secrets. Details The changed-files action returns a list of files changed in a commit or pull request which provides an escapejson...
CVE-2023-52137
The tj-actions/verify-changed-files action allows for command injection in changed filenames, allowing an attacker to execute arbitrary code and potentially leak secrets. The verify-changed-files workflow returns the list of files changed within a workflow execution. This could potentially allow...
CVE-2023-52137
CVE-2023-52137 affects the tj-actions/verify-changed-files GitHub Action. The vulnerability allows command injection through changed filenames returned by the verify-changed-files workflow, potentially enabling arbitrary code execution on the GitHub Runner and secret leakage when outputs are used...
verify-changed-files Input Verification Error Vulnerability
changed-files is used to track the relative paths returned from the project root for all changed files and directories associated with the target branch, previous commits, or the last remote commit. An input validation error vulnerability exists in versions prior to verify-changed-files 17.0.0,...
PT-2023-31929
Name of the Vulnerable Software and Affected Versions tj-actions/verify-changed-files versions prior to 17 Description The tj-actions/verify-changed-files action allows for command injection in changed filenames, allowing an attacker to execute arbitrary code and potentially leak secrets. The...
CVE-2023-51664 tj-actions/changed-files command injection in output filenames
tj-actions/changed-files is a Github action to retrieve all files and directories. Prior to 41.0.0, the tj-actions/changed-files workflow allows for command injection in changed filenames, allowing an attacker to execute arbitrary code and potentially leak secrets. This issue may lead to arbitrar...
CVE-2023-51664 tj-actions/changed-files command injection in output filenames
tj-actions/changed-files is a Github action to retrieve all files and directories. Prior to 41.0.0, the tj-actions/changed-files workflow allows for command injection in changed filenames, allowing an attacker to execute arbitrary code and potentially leak secrets. This issue may lead to arbitrar...
CVE-2023-51664
The CVE refers to the GitHub Action tj-actions/changed-files. Before version 41.0.0, the action allowed command injection through changed filenames, enabling potential arbitrary code execution on the GitHub Runner and possible secret leakage. Affected component: tj-actions/changed-files (GitHub A...
changed-files Security Vulnerabilities
changed-files is used to keep track of the relative paths returned from the project root for all changed files and directories associated with the target branch, previous commits, or the last remote commit. A security vulnerability exists in changed-files versions prior to 41.0.0, which stems fro...
PT-2023-31875 · Github · Tj-Actions/Changed-Files
Name of the Vulnerable Software and Affected Versions: tj-actions/changed-files versions prior to 41.0.0 Description: The tj-actions/changed-files workflow allows for command injection in changed filenames, allowing an attacker to execute arbitrary code and potentially leak secrets. This issue ma...
Docker Container Number of Changed Files
Binary data dockerchangedfilesnum.nbin...