Lucene search
K

9 matches found

CISA
CISA
added 2025/03/26 12:0 p.m.4 views

Supply Chain Compromise of Third-Party tj-actions/changed-files (CVE-2025-30066) and reviewdog/action-setup@v1 (CVE-2025-30154)

A popular third-party GitHub Action, tj-actions/changed-files tracked as CVE-2025-30066link is external, was compromised. tj-actions/changed-files is designed to detect which files have changed in a pull request or commit. The supply chain compromise allows for information disclosure of secrets...

8.6CVSS7.1AI score0.41008EPSS
Exploits3References13
Github Security Blog
Github Security Blog
added 2025/03/15 6:30 a.m.31 views

tj-actions changed-files through 45.0.7 allows remote attackers to discover secrets by reading actions logs.

Summary A supply chain attack compromised the tj-actions/changed-files GitHub Action, impacting over 23,000 repositories. Attackers retroactively modified multiple version tags to reference a malicious commit, exposing CI/CD secrets in workflow logs. The vulnerability existed between March 14 and...

8.6CVSS8.8AI score0.41008EPSS
Exploits2References25Affected Software1
OSV
OSV
added 2025/03/15 6:15 a.m.16 views

CVE-2025-30066

tj-actions changed-files before 46 allows remote attackers to discover secrets by reading actions logs. The tags v1 through v45.0.7 were affected on 2025-03-14 and 2025-03-15 because they were modified by a threat actor to point at commit 0e58ed8, which contained malicious updateFeatures code...

8.6CVSS8.6AI score0.41008EPSS
Exploits2References21
ATTACKERKB
ATTACKERKB
added 2025/03/15 12:0 a.m.16 views

CVE-2025-30066

tj-actions changed-files before 46 allows remote attackers to discover secrets by reading actions logs. The tags v1 through v45.0.7 were affected on 2025-03-14 and 2025-03-15 because they were modified by a threat actor to point at commit 0e58ed8, which contained malicious updateFeatures code...

8.6CVSS8.6AI score0.41008EPSS
In wildExploits2References20
Cvelist
Cvelist
added 2025/03/15 12:0 a.m.19 views

CVE-2025-30066

tj-actions changed-files before 46 allows remote attackers to discover secrets by reading actions logs. The tags v1 through v45.0.7 were affected on 2025-03-14 and 2025-03-15 because they were modified by a threat actor to point at commit 0e58ed8, which contained malicious updateFeatures code...

8.6CVSS0.41008EPSS
Exploits2References19
OSV
OSV
added 2024/01/02 4:41 p.m.40 views

GHSA-MCPH-M25J-8J63 tj-actions/changed-files has Potential Actions command injection in output filenames (GHSL-2023-271)

Summary The tj-actions/changed-files workflow allows for command injection in changed filenames, allowing an attacker to execute arbitrary code and potentially leak secrets. Details The changed-files action returns a list of files changed in a commit or pull request which provides an escapejson...

7.3CVSS9.1AI score0.03351EPSS
Exploits1References6
Github Security Blog
Github Security Blog
added 2024/01/02 4:41 p.m.204 views

tj-actions/changed-files has Potential Actions command injection in output filenames (GHSL-2023-271)

Summary The tj-actions/changed-files workflow allows for command injection in changed filenames, allowing an attacker to execute arbitrary code and potentially leak secrets. Details The changed-files action returns a list of files changed in a commit or pull request which provides an escapejson...

9.8CVSS8.4AI score0.03351EPSS
Exploits1References6Affected Software1
Cvelist
Cvelist
added 2023/12/27 4:58 p.m.16 views

CVE-2023-51664 tj-actions/changed-files command injection in output filenames

tj-actions/changed-files is a Github action to retrieve all files and directories. Prior to 41.0.0, the tj-actions/changed-files workflow allows for command injection in changed filenames, allowing an attacker to execute arbitrary code and potentially leak secrets. This issue may lead to arbitrar...

7.3CVSS10AI score0.03351EPSS
Exploits1References4
Vulnrichment
Vulnrichment
added 2023/12/27 4:58 p.m.16 views

CVE-2023-51664 tj-actions/changed-files command injection in output filenames

tj-actions/changed-files is a Github action to retrieve all files and directories. Prior to 41.0.0, the tj-actions/changed-files workflow allows for command injection in changed filenames, allowing an attacker to execute arbitrary code and potentially leak secrets. This issue may lead to arbitrar...

7.3CVSS8.5AI score0.03351EPSS
Exploits1References4
Rows per page
Query Builder