← Back

Git Tag Annotation Action Project

git-tag-annotation-action_project

1 CVE • 1 product

Products (1)

Click to collapse
Toggle
Git Tag Annotation Action
git-tag-annotation-action
1 CVE

CVEs (1)

CVE
VENDORS
PRODUCTS
UPDATED
PUBLISHED
CVSS
CVE-2020-15272
1Git Tag Annotation Action Project
1Git Tag Annotation Action
Nov 21, 2024
Oct 26, 2020
N/A· v4
9.6 CRITICAL· v3
6.5 MEDIUM· v2
In the git-tag-annotation-action (open source GitHub Action) before version 1.0.1, an attacker can execute arbitrary (*) shell commands if they can control the value of [the `tag` input] or manage to alter the value of [...Show more
In the git-tag-annotation-action (open source GitHub Action) before version 1.0.1, an attacker can execute arbitrary (*) shell commands if they can control the value of [the `tag` input] or manage to alter the value of [the `GITHUB_REF` environment variable]. The problem has been patched in version 1.0.1. If you don't use the `tag` input you are most likely safe. The `GITHUB_REF` environment variable is protected by the GitHub Actions environment so attacks from there should be impossible. If you must use the `tag` input and cannot upgrade to `> 1.0.0` make sure that the value is not controlled by another Action.Show less