1351 matches found
CVE-2022-36056
Cosign is a project under the sigstore organization which aims to make signatures invisible infrastructure. In versions prior to 1.12.0 a number of vulnerabilities have been found in cosign verify-blob, where Cosign would successfully verify an artifact when verification should have failed. First...
Design/Logic Flaw
Cosign is a project under the sigstore organization which aims to make signatures invisible infrastructure. In versions prior to 1.12.0 a number of vulnerabilities have been found in cosign verify-blob, where Cosign would successfully verify an artifact when verification should have failed. First...
CVE-2022-36056
Cosign is a project under the sigstore organization which aims to make signatures invisible infrastructure. In versions prior to 1.12.0 a number of vulnerabilities have been found in cosign verify-blob, where Cosign would successfully verify an artifact when verification should have failed. First...
CVE-2022-36056 Vulnerabilities with blob verification in sigstore cosign
Cosign is a project under the sigstore organization which aims to make signatures invisible infrastructure. In versions prior to 1.12.0 a number of vulnerabilities have been found in cosign verify-blob, where Cosign would successfully verify an artifact when verification should have failed. First...
CVE-2022-36056 Vulnerabilities with blob verification in sigstore cosign
Cosign is a project under the sigstore organization which aims to make signatures invisible infrastructure. In versions prior to 1.12.0 a number of vulnerabilities have been found in cosign verify-blob, where Cosign would successfully verify an artifact when verification should have failed. First...
nuclei-templates
This is a GitHub repository for a community-curated list of templates for the Nuclei engine to find security vulnerabilities in applications. The repository contains various templates for the scanner provided by the team and contributed by the community. The templates are stored in the...
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
The GitHub Actions ToolKit provides a set of packages to make creating actions easier. The core.exportVariable function uses a well known delimiter that attackers can use to break out of that specific variable and assign values to other arbitrary variables. Workflows that write untrusted values t...
CVE-2022-35954
The GitHub Actions ToolKit provides a set of packages to make creating actions easier. The core.exportVariable function uses a well known delimiter that attackers can use to break out of that specific variable and assign values to other arbitrary variables. Workflows that write untrusted values t...
Design/Logic Flaw
The GitHub Actions ToolKit provides a set of packages to make creating actions easier. The core.exportVariable function uses a well known delimiter that attackers can use to break out of that specific variable and assign values to other arbitrary variables. Workflows that write untrusted values t...
CVE-2022-35954 Delimiter injection vulnerability in @actions/core exportVariable
The GitHub Actions ToolKit provides a set of packages to make creating actions easier. The core.exportVariable function uses a well known delimiter that attackers can use to break out of that specific variable and assign values to other arbitrary variables. Workflows that write untrusted values t...
CVE-2022-35954 Delimiter injection vulnerability in @actions/core exportVariable
The GitHub Actions ToolKit provides a set of packages to make creating actions easier. The core.exportVariable function uses a well known delimiter that attackers can use to break out of that specific variable and assign values to other arbitrary variables. Workflows that write untrusted values t...
CVE-2022-35954
The CVE-2022-35954 issue affects the GitHub Actions ToolKit, specifically core.exportVariable in @actions/core. The vulnerability arises from a well-known delimiter (GitHubActionsFileCommandDelimeter ) used to set environment variables via GITHUB_ENV, which can be exploited to break out of the in...
CVE-2022-35954 Delimiter injection vulnerability in @actions/core exportVariable
The GitHub Actions ToolKit provides a set of packages to make creating actions easier. The core.exportVariable function uses a well known delimiter that attackers can use to break out of that specific variable and assign values to other arbitrary variables. Workflows that write untrusted values t...
PT-2022-23055 · Github · @Actions/Core
Name of the Vulnerable Software and Affected Versions: @actions/core versions prior to v1.9.1 Description: The core.exportVariable function uses a well-known delimiter that attackers can use to break out of that specific variable and assign values to other arbitrary variables. Workflows that writ...
GHSA-G86G-CHM8-7R2P check-spelling workflow vulnerable to token leakage via symlink attack
Impact For a repository with the check-spelling action enabled that triggers on pullrequesttarget or schedule, an attacker can send a crafted Pull Request that causes a GITHUBTOKEN to be exposed. With the GITHUBTOKEN, it's possible to push commits to the repository bypassing standard approval...
check-spelling workflow vulnerable to token leakage via symlink attack
Impact For a repository with the check-spelling action enabled that triggers on pullrequesttarget or schedule, an attacker can send a crafted Pull Request that causes a GITHUBTOKEN to be exposed. With the GITHUBTOKEN, it's possible to push commits to the repository bypassing standard approval...
GitHub: Command injection in GitHub Actions ContainerStepHost
GitHub Actions Runner is the application that runs a job from a GitHub Actions workflow. The actions runner invokes the docker cli directly in order to run job containers, service containers, or container actions. A bug in the logic for how the environment is encoded into these docker commands wa...
Cloud-based Cryptocurrency Miners Targeting GitHub Actions and Azure VMs
GitHub Actions and Azure virtual machines VMs are being leveraged for cloud-based cryptocurrency mining, indicating sustained attempts on the part of malicious actors to target cloud resources for illicit purposes. "Attackers can abuse the runners or servers provided by GitHub to run an...
Malicious code in panther-github-actions (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware a3cf372dfd59de8690e3a89a7ea4f9117da1f269a50dcb3ac94d20a9f7903c91 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
MAL-2022-5208 Malicious code in panther-github-actions (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware a3cf372dfd59de8690e3a89a7ea4f9117da1f269a50dcb3ac94d20a9f7903c91 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...