Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

core-1.4.0.tgz: 1 vulnerabilities (highest severity is: 5.0) #100

Open
mend-bolt-for-github bot opened this issue Aug 22, 2022 · 0 comments
Open

core-1.4.0.tgz: 1 vulnerabilities (highest severity is: 5.0) #100

mend-bolt-for-github bot opened this issue Aug 22, 2022 · 0 comments
Labels
Mend: dependency security vulnerability Security vulnerability detected by WhiteSource

Comments

@mend-bolt-for-github
Copy link
Contributor

mend-bolt-for-github bot commented Aug 22, 2022
edited
Loading

Vulnerable Library - core-1.4.0.tgz

Actions core lib

Library home page: https://registry.npmjs.org/@actions/core/-/core-1.4.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/@actions/core/package.json

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (core version) Remediation Available
CVE-2022-35954 Medium 5.0 core-1.4.0.tgz Direct 1.9.1

Details

CVE-2022-35954

Vulnerable Library - core-1.4.0.tgz

Actions core lib

Library home page: https://registry.npmjs.org/@actions/core/-/core-1.4.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/@actions/core/package.json

Dependency Hierarchy:

  • core-1.4.0.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

The GitHub Actions ToolKit provides a set of packages to make creating actions easier. The core.exportVariable function uses a well known delimiter that attackers can use to break out of that specific variable and assign values to other arbitrary variables. Workflows that write untrusted values to the GITHUB_ENV file may cause the path or other environment variables to be modified without the intention of the workflow or action author. Users should upgrade to @actions/core v1.9.1. If you are unable to upgrade the @actions/core package, you can modify your action to ensure that any user input does not contain the delimiter _GitHubActionsFileCommandDelimeter_ before calling core.exportVariable.

Publish Date: 2022-08-15

URL: CVE-2022-35954

CVSS 3 Score Details (5.0)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35954

Release Date: 2022-08-15

Fix Resolution: 1.9.1

Step up your Open Source Security Game with Mend here
@mend-bolt-for-github mend-bolt-for-github bot added the Mend: dependency security vulnerability Security vulnerability detected by WhiteSource label Aug 22, 2022
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
Mend: dependency security vulnerability Security vulnerability detected by WhiteSource
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
0 participants