mend-for-github-com[bot]
commented
2 years ago :heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.
CVE-2022-35954 - Medium Severity Vulnerability
Actions core lib
Library home page: https://registry.npmjs.org/@actions/core/-/core-1.6.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/@actions/core/package.json
Dependency Hierarchy: - :x: **core-1.6.0.tgz** (Vulnerable Library)
Found in base branch: master
The GitHub Actions ToolKit provides a set of packages to make creating actions easier. The `core.exportVariable` function uses a well known delimiter that attackers can use to break out of that specific variable and assign values to other arbitrary variables. Workflows that write untrusted values to the `GITHUB_ENV` file may cause the path or other environment variables to be modified without the intention of the workflow or action author. Users should upgrade to `@actions/core v1.9.1`. If you are unable to upgrade the `@actions/core` package, you can modify your action to ensure that any user input does not contain the delimiter `_GitHubActionsFileCommandDelimeter_` before calling `core.exportVariable`.
Publish Date: 2022-08-15
URL: CVE-2022-35954
Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Changed - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here.Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35954
Release Date: 2022-08-13
Fix Resolution: @actions/core - 1.9.1