CVE-2021-32638

Github's CodeQL action is provided to run CodeQL-based code scanning on non-GitHub CI/CD systems and requires a GitHub access token to connect to a GitHub repository. The runner and its documentation previously suggested passing the GitHub token as a command-line parameter to the process instead ...

CVE-2021-32638

CVE-2021-32638 concerns Github CodeQL runner/CodeQL Action used in non-GitHub CI environments, where a GitHub access token supplied via the --github-auth flag could be exposed to other processes through system output (e.g., ps). The issue is resolved by deprecating --github-auth and using secure ...

CVE-2021-32638 CodeQL runner: Command-line options that make GitHub access tokens visible to other processes are now deprecated

Github's CodeQL action is provided to run CodeQL-based code scanning on non-GitHub CI/CD systems and requires a GitHub access token to connect to a GitHub repository. The runner and its documentation previously suggested passing the GitHub token as a command-line parameter to the process instead ...

vulhub

This repository is an open-source collection of pre-built vulnerable docker environments, referred to as 'Vulhub'. It is not a specific exploit or tool, but rather a collection of vulnerable environments for testing and learning purposes. The repository contains various vulnerable docker...

HashiCorp Vault Information Disclosure Vulnerability (CNVD-2021-37053)

HashiCorp Vault is a private key access management tool from HashiCorp Hashicorp USA. An information disclosure vulnerability exists in HashiCorp vault-action prior to version 2.2.0, which stems from a multi-line secret that fails to properly register with GitHub Actions to mask logs, which can b...

CVE-2021-32074

HashiCorp vault-action aka Vault GitHub Action before 2.2.0 allows attackers to obtain sensitive information from log files because a multi-line secret was not correctly registered with GitHub Actions for log masking...

HashiCorp Vault 日志信息泄露漏洞

HashiCorp Vault is a private key access management tool from HashiCorp Hashicorp USA. An information disclosure vulnerability exists in HashiCorp vault-action prior to version 2.2.0, which stems from a multi-line secret that fails to properly register with GitHub Actions to mask logs, which can b...

vulhub

This is an open-source collection of pre-built vulnerable docker environments. It is an offensive tool for web application security testing. The primary vulnerability is not specified, but the repository contains various vulnerable environments, including ones for CouchDB, FFmpeg, Git, InfluxDB,...

Exploit for SQL Injection in Zabbix

This is an open-source collection of pre-built vulnerable docker environments. It is an offensive tool for web application security testing. The primary CVE IDs present in the context are CVE-2016-10134, CVE-2017-2824, and CVE-2020-11800. The target product/service or framework is not explicitly...

GHSA-GG2G-M5WC-VCCQ Rebuild-bot workflow may allow unauthorised repository modifications

Impact projen is a project generation tool that synthesizes project configuration files such as package.json, tsconfig.json, .gitignore, GitHub Workflows, eslint, jest, and more, from a well-typed definition written in JavaScript. Users of projen's NodeProject project type including any project...

PayloadsAllTheThings

It is an offensive tool for funding. This repository contains a collection of funding models, including GitHub Sponsors, Ko-fi, and Buy Me a Coffee. The primary vulnerability class is not explicitly stated, but the tool appears to be related to funding models rather than a specific vulnerability...

vulhub

It is an offensive tool for Docker environments. The primary vulnerability is not specified, but the repository contains a collection of vulnerable Docker environments, including CouchDB, FFmpeg, Git, InfluxDB, and others. The environments are designed to be vulnerable to various attacks, allowin...

openSUSE Security Update : rclone (openSUSE-2020-2008)

This update for rclone fixes the following issues : rclone was updated to version 1.53.3 : - Bug Fixes - Fix incorrect use of math/rand instead of crypto/rand CVE-2020-28924 boo1179005 Nick Craig-Wood - Check https://github.com/rclone/passwordcheck for a tool check for weak passwords generated by...

Atlassian Jira gajira-create code execution vulnerability

Atlassian Jira is a defect tracking management system from Atlassian Australia. The system is used to track and manage all types of issues and defects in the workplace. gajira-comment is a Jira plugin for configuring Jira comment operations. Atlassian gajira-create A security vulnerability exists...

pwntools

This is an open-source repository for the pwntools project, a Python library for reverse engineering and exploitation. The repository contains various files and workflows for contributing to the project, including issue templates, pull request templates, and workflows for continuous integration a...

Design/Logic Flaw

In the git-tag-annotation-action open source GitHub Action before version 1.0.1, an attacker can execute arbitrary shell commands if they can control the value of the tag input or manage to alter the value of the GITHUBREF environment variable. The problem has been patched in version 1.0.1. If yo...

CVE-2020-15228 Environment Variable Injection in GitHub Actions

In the @actions/core npm module before version 1.2.6,addPath and exportVariable functions communicate with the Actions Runner over stdout by generating a string in a specific format. Workflows that log untrusted data to stdout may invoke these commands, resulting in the path or environment...

GHSA-MFWH-5M23-J46W Environment Variable Injection in GitHub Actions

Impact The @actions/core npm module addPath and exportVariable functions communicate with the Actions Runner over stdout by generating a string in a specific format. Workflows that log untrusted data to stdout may invoke these commands, resulting in the path or environment variables being modifie...

Environment Variable Injection in GitHub Actions

Impact The @actions/core npm module addPath and exportVariable functions communicate with the Actions Runner over stdout by generating a string in a specific format. Workflows that log untrusted data to stdout may invoke these commands, resulting in the path or environment variables being modifie...

Integrate Security Testing with GitHub Actions

GitHub Actions GitHub announced their own CI/CD system which is integrated into the user interface and called Github Actions. We added RIPS to the GitHub marketplace which enables you to integrate our leading code analysis directly into your GitHub workflow. It works as a security gateway and fai...