GHSA-GG2G-M5WC-VCCQ Rebuild-bot workflow may allow unauthorised repository modifications

Impact projen is a project generation tool that synthesizes project configuration files such as package.json, tsconfig.json, .gitignore, GitHub Workflows, eslint, jest, and more, from a well-typed definition written in JavaScript. Users of projen's NodeProject project type including any project...

PayloadsAllTheThings

It is an offensive tool for funding. This repository contains a collection of funding models, including GitHub Sponsors, Ko-fi, and Buy Me a Coffee. The primary vulnerability class is not explicitly stated, but the tool appears to be related to funding models rather than a specific vulnerability...

vulhub

It is an offensive tool for Docker environments. The primary vulnerability is not specified, but the repository contains a collection of vulnerable Docker environments, including CouchDB, FFmpeg, Git, InfluxDB, and others. The environments are designed to be vulnerable to various attacks, allowin...

openSUSE Security Update : rclone (openSUSE-2020-2008)

This update for rclone fixes the following issues : rclone was updated to version 1.53.3 : - Bug Fixes - Fix incorrect use of math/rand instead of crypto/rand CVE-2020-28924 boo1179005 Nick Craig-Wood - Check https://github.com/rclone/passwordcheck for a tool check for weak passwords generated by...

Atlassian Jira gajira-create code execution vulnerability

Atlassian Jira is a defect tracking management system from Atlassian Australia. The system is used to track and manage all types of issues and defects in the workplace. gajira-comment is a Jira plugin for configuring Jira comment operations. Atlassian gajira-create A security vulnerability exists...

pwntools

This is an open-source repository for the pwntools project, a Python library for reverse engineering and exploitation. The repository contains various files and workflows for contributing to the project, including issue templates, pull request templates, and workflows for continuous integration a...

Design/Logic Flaw

In the git-tag-annotation-action open source GitHub Action before version 1.0.1, an attacker can execute arbitrary shell commands if they can control the value of the tag input or manage to alter the value of the GITHUBREF environment variable. The problem has been patched in version 1.0.1. If yo...

CVE-2020-15228 Environment Variable Injection in GitHub Actions

In the @actions/core npm module before version 1.2.6,addPath and exportVariable functions communicate with the Actions Runner over stdout by generating a string in a specific format. Workflows that log untrusted data to stdout may invoke these commands, resulting in the path or environment...

Environment Variable Injection in GitHub Actions

Impact The @actions/core npm module addPath and exportVariable functions communicate with the Actions Runner over stdout by generating a string in a specific format. Workflows that log untrusted data to stdout may invoke these commands, resulting in the path or environment variables being modifie...

GHSA-MFWH-5M23-J46W Environment Variable Injection in GitHub Actions

Impact The @actions/core npm module addPath and exportVariable functions communicate with the Actions Runner over stdout by generating a string in a specific format. Workflows that log untrusted data to stdout may invoke these commands, resulting in the path or environment variables being modifie...

Integrate Security Testing with GitHub Actions

GitHub Actions GitHub announced their own CI/CD system which is integrated into the user interface and called Github Actions. We added RIPS to the GitHub marketplace which enables you to integrate our leading code analysis directly into your GitHub workflow. It works as a security gateway and fai...