CVE-2022-35954

Published: Aug 13, 2022

Modified: Apr 23, 2025

PUBLISHED

CVSS v3.1

5.0

MEDIUM

Description

The GitHub Actions ToolKit provides a set of packages to make creating actions easier. The `core.exportVariable` function uses a well known delimiter that attackers can use to break out of that specific variable and assign values to other arbitrary variables. Workflows that write untrusted values to the `GITHUB_ENV` file may cause the path or other environment variables to be modified without the intention of the workflow or action author. Users should upgrade to `@actions/core v1.9.1`. If you are unable to upgrade the `@actions/core` package, you can modify your action to ensure that any user input does not contain the delimiter `_GitHubActionsFileCommandDelimeter_` before calling `core.exportVariable`.

Vendor	Product	Versions
actions	toolkit	affected `<= 1.9.0`

Weaknesses (CWE)

CWE-77

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

None

Integrity

Low

Availability

None

References

https://github.com/actions/toolkit/security/advisories/GHSA-7r3h-m5j6-3q42

x_refsource_CONFIRM

https://github.com/actions/toolkit/commit/4beda9cbc00ba6eefe387a937c21087ccb8ee9df

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2022-35954

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References