CVE-2020-15228: Improper Input Validation

October 1, 2020 (updated November 18, 2021)

In the @actions/core npm module, addPath and exportVariable functions communicate with the Actions Runner over stdout by generating a string in a specific format. Workflows that log untrusted data to stdout may invoke these commands, resulting in the path or environment variables being modified without the intention of the workflow or action author. The runner will release an update that disables the set-env and add-path workflow commands in the near future.

References

packetstormsecurity.com/files/159794/GitHub-Widespread-Injection.html
nvd.nist.gov/vuln/detail/CVE-2020-15228

Code Behaviors & Features

Detect and mitigate CVE-2020-15228 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →