CVE-2020-15228: Improper Input Validation
(updated )
In the @actions/core
npm module, addPath
and exportVariable
functions communicate with the Actions Runner over stdout by generating a string in a specific format. Workflows that log untrusted data to stdout may invoke these commands, resulting in the path or environment variables being modified without the intention of the workflow or action author. The runner will release an update that disables the set-env
and add-path
workflow commands in the near future.
References
Detect and mitigate CVE-2020-15228 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →