CVE-2020-15228 : Security Advisory and Response

In the

@actions/core

npm module before version 1.2.6, a vulnerability allows for environment variable injection, potentially leading to unauthorized modification of path or environment variables.

Understanding CVE-2020-15228

What is CVE-2020-15228?

This CVE refers to a security flaw in the

@actions/core

npm module that enables the injection of environment variables, allowing unauthorized changes to variables.

The Impact of CVE-2020-15228

The vulnerability can be exploited by workflows logging untrusted data to stdout, resulting in unintended modifications to path or environment variables.

Technical Details of CVE-2020-15228

Vulnerability Description

The issue arises from the

addPath

and

exportVariable

functions communicating with the Actions Runner over stdout, potentially altering variables.

Affected Systems and Versions

Product: toolkit
Vendor: actions
Versions Affected: < 1.2.6

Exploitation Mechanism

Attack Complexity: HIGH
Attack Vector: NETWORK
Base Score: 3.5 (LOW)
CWE-20: Improper Input Validation

Mitigation and Prevention

Immediate Steps to Take

Upgrade to

@actions/core v1.2.6

or later
Replace

set-env

and

add-path

commands with the new Environment File Syntax

Long-Term Security Practices

Regularly update to the latest versions of software
Implement secure coding practices

Patching and Updates

The Actions Runner will release an update to disable the vulnerable commands