medium

Actions Core Delimiter Injection Vulnerability

Published Fri, Aug 12th, 2022

Platforms

Summary

The @actions/core package had a delimiter injection vulnerability in the exportVariable function. Attackers could use a known delimiter to break out of a specific variable and assign values to other arbitrary variables. This may have allowed modification of path or environment variables without the intention of workflow or action authors.

Affected Services

GitHub Actions

Remediation

Upgrade to @actions/core v1.9.1 or ensure user input does not contain the delimiter '_GitHubActionsFileCommandDelimeter_' before calling core.exportVariable.

Tracked CVEs

CVE-2022-35954

References

https://github.com/advisories/GHSA-7r3h-m5j6-3q42

Contributed by https://github.com/sshayb

Entry Status

Finalized

Disclosure Date

Exploitability Period

Until 2022/08/12

Known ITW Exploitation

Detection Methods

Review workflows and actions that write untrusted values to the GITHUB_ENV file. Check for potential manipulation of path or other environment variables.

Piercing Index Rating

Discovered by

Juho Nurminen

More vulnerabilities...

medium

Cloud SQL escape to host

In GCP's case, they introduced a modification to the Cloud SQL's PostgreSQL engine allowing the role assigned to the tenant (cloudsqlsuperuser) to arbitrarily change the ownership of a table to any...

Shir Tamari, Nir Ohfeld, Sa...Aug 11, 2022

medium

Google Cloud Shell command injection

A vulnerability was discovered in Cloud Shell that enabled command injection and remote shell access. By manipulating the "project" parameter, an attacker could have cause an unencoded Python scrip...

Bugra EskiciAug 10, 2022

low

S3 Replication only logs first destination bucket

If a malicious actor with prior access to an AWS environment has permission to modify the S3 Replication Service role access policy, they could abuse cross-account replication to exfiltrate stolen ...

Kat TraxlerJul 20, 2022

View all