CVE-2020-15272
Severity CVSS v4.0:
Pending analysis
Type:
CWE-78
OS Command Injections
Publication date:
26/10/2020
Last modified:
28/10/2020
Description
In the git-tag-annotation-action (open source GitHub Action) before version 1.0.1, an attacker can execute arbitrary (*) shell commands if they can control the value of [the `tag` input] or manage to alter the value of [the `GITHUB_REF` environment variable]. The problem has been patched in version 1.0.1. If you don't use the `tag` input you are most likely safe. The `GITHUB_REF` environment variable is protected by the GitHub Actions environment so attacks from there should be impossible. If you must use the `tag` input and cannot upgrade to `> 1.0.0` make sure that the value is not controlled by another Action.
Impact
Base Score 3.x
9.60
Severity 3.x
CRITICAL
Base Score 2.0
6.50
Severity 2.0
MEDIUM
Vulnerable products and versions
CPE | From | Up to |
---|---|---|
cpe:2.3:a:git-tag-annotation-action_project:git-tag-annotation-action:*:*:*:*:*:*:*:* | 1.0.1 (excluding) |
To consult the complete list of CPE names with products and versions, see this page