CVE-2020-15228 (Medium) detected in core-1.1.3.tgz

[mylocalghcomapp]

CVE-2020-15228 - Medium Severity Vulnerability

Vulnerable Library - core-1.1.3.tgz

Actions core lib

Library home page: https://registry.npmjs.org/@actions/core/-/core-1.1.3.tgz

Path to dependency file: GprAction\package.json

Path to vulnerable library: GprAction\node_modules\@actions\core\package.json

Dependency Hierarchy:

• ❌ core-1.1.3.tgz (Vulnerable Library)

Found in HEAD commit: c81f33f37cd7029e9584979e43d78bace51d91bb

Found in base branch: master

Vulnerability Details

In the @actions/core npm module before version 1.2.6,addPath and exportVariable functions communicate with the Actions Runner over stdout by generating a string in a specific format. Workflows that log untrusted data to stdout may invoke these commands, resulting in the path or environment variables being modified without the intention of the workflow or action author. The runner will release an update that disables the set-env and add-path workflow commands in the near future. For now, users should upgrade to @actions/core v1.2.6 or later, and replace any instance of the set-env or add-path commands in their workflows with the new Environment File Syntax. Workflows and actions using the old commands or older versions of the toolkit will start to warn, then error out during workflow execution.

Publish Date: 2020-10-01

URL: CVE-2020-15228

CVSS 3 Score Details (5.0)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-mfwh-5m23-j46w

Release Date: 2020-07-21

Fix Resolution: 1.2.6

---

• Check this box to open an automated fix PR