@actions/core allows tampering of environment variables. The addPath
and exportVariable
functions that communicate with the Actions Runner over stdout allows the unauthorized modification of the path or environment variables.
CPE | Name | Operator | Version |
---|---|---|---|
@actions/core | le | 1.2.5 | |
@actions/core | le | 1.2.5 |