View Code? Open in Web Editor
NEW
This project forked from hmanzur /actions-set-secret
Please use the action directly, this repo is archived - Create or update secrets in github repository
License: MIT License
actions-set-secret's People
Watchers
actions-set-secret's Issues
CVE-2022-0235 - Medium Severity Vulnerability
Vulnerable Library - node-fetch-2.6.1.tgz
A light-weight module that brings window.fetch to node.js
Library home page: https://registry.npmjs.org/node-fetch/-/node-fetch-2.6.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/node-fetch/package.json
Dependency Hierarchy:
core-3.1.2.tgz (Root Library)
request-5.4.7.tgz
❌ node-fetch-2.6.1.tgz (Vulnerable Library)
Found in base branch: master
Vulnerability Details
node-fetch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor
Publish Date: 2022-01-16
URL: CVE-2022-0235
CVSS 3 Score Details (6.1 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: Required
Scope: Changed
Impact Metrics:
Confidentiality Impact: Low
Integrity Impact: Low
Availability Impact: None
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: GHSA-r683-j2x4-v87g
Release Date: 2022-01-16
Fix Resolution: node-fetch - 2.6.7,3.1.1
CVE-2021-35065 - High Severity Vulnerability
Vulnerable Library - glob-parent-5.1.2.tgz
Extract the non-magic parent path from a glob string.
Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-5.1.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/glob-parent/package.json
Dependency Hierarchy:
eslint-7.6.0.tgz (Root Library)
❌ glob-parent-5.1.2.tgz (Vulnerable Library)
Found in base branch: master
Vulnerability Details
The package glob-parent before 6.0.1 are vulnerable to Regular Expression Denial of Service (ReDoS)
Publish Date: 2021-06-22
URL: CVE-2021-35065
CVSS 3 Score Details (7.5 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: GHSA-cj88-88mr-972w
Release Date: 2021-06-22
Fix Resolution (glob-parent): 6.0.1
Direct dependency fix Resolution (eslint): 8.0.0
⛑️ Automatic Remediation is available for this issue
WS-2021-0154 - Medium Severity Vulnerability
Vulnerable Library - glob-parent-5.1.1.tgz
Extract the non-magic parent path from a glob string.
Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-5.1.1.tgz
Path to dependency file: actions-set-secret/package.json
Path to vulnerable library: actions-set-secret/node_modules/glob-parent/package.json
Dependency Hierarchy:
eslint-7.6.0.tgz (Root Library)
❌ glob-parent-5.1.1.tgz (Vulnerable Library)
Found in base branch: master
Vulnerability Details
Regular Expression Denial of Service (ReDoS) vulnerability was found in glob-parent before 5.1.2.
Publish Date: 2021-01-27
URL: WS-2021-0154
CVSS 3 Score Details (5.3 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: Low
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://github.com/gulpjs/glob-parent/releases/tag/v5.1.2
Release Date: 2021-01-27
Fix Resolution: glob-parent - 5.1.2
CVE-2021-43307 - Medium Severity Vulnerability
Vulnerable Library - semver-regex-3.1.3.tgz
Regular expression for matching semver versions
Library home page: https://registry.npmjs.org/semver-regex/-/semver-regex-3.1.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/semver-regex/package.json
Dependency Hierarchy:
husky-4.3.7.tgz (Root Library)
find-versions-4.0.0.tgz
❌ semver-regex-3.1.3.tgz (Vulnerable Library)
Found in base branch: master
Vulnerability Details
An exponential ReDoS (Regular Expression Denial of Service) can be triggered in the semver-regex npm package, when an attacker is able to supply arbitrary input to the test() method
Publish Date: 2022-06-02
URL: CVE-2021-43307
CVSS 3 Score Details (5.9 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: High
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://research.jfrog.com/vulnerabilities/semver-regex-redos-xray-211349/
Release Date: 2021-11-03
Fix Resolution (semver-regex): 3.1.4
Direct dependency fix Resolution (husky): 4.3.8
CVE-2022-35954 - Medium Severity Vulnerability
Vulnerable Library - core-1.2.6.tgz
Actions core lib
Library home page: https://registry.npmjs.org/@actions/core/-/core-1.2.6.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/@actions/core/package.json
Dependency Hierarchy:
❌ core-1.2.6.tgz (Vulnerable Library)
Found in base branch: master
Vulnerability Details
The GitHub Actions ToolKit provides a set of packages to make creating actions easier. The core.exportVariable
function uses a well known delimiter that attackers can use to break out of that specific variable and assign values to other arbitrary variables. Workflows that write untrusted values to the GITHUB_ENV
file may cause the path or other environment variables to be modified without the intention of the workflow or action author. Users should upgrade to @actions/core v1.9.1
. If you are unable to upgrade the @actions/core
package, you can modify your action to ensure that any user input does not contain the delimiter _GitHubActionsFileCommandDelimeter_
before calling core.exportVariable
.
Publish Date: 2022-08-15
URL: CVE-2022-35954
CVSS 3 Score Details (5.0 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: Low
User Interaction: None
Scope: Changed
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: Low
Availability Impact: None
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35954
Release Date: 2022-08-15
Fix Resolution: 1.9.1
CVE-2021-3807 - High Severity Vulnerability
Vulnerable Libraries - ansi-regex-4.1.0.tgz , ansi-regex-5.0.0.tgz
ansi-regex-4.1.0.tgz
Regular expression for matching ANSI escape codes
Library home page: https://registry.npmjs.org/ansi-regex/-/ansi-regex-4.1.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/table/node_modules/ansi-regex/package.json
Dependency Hierarchy:
eslint-7.6.0.tgz (Root Library)
table-5.4.6.tgz
string-width-3.1.0.tgz
strip-ansi-5.2.0.tgz
❌ ansi-regex-4.1.0.tgz (Vulnerable Library)
ansi-regex-5.0.0.tgz
Regular expression for matching ANSI escape codes
Library home page: https://registry.npmjs.org/ansi-regex/-/ansi-regex-5.0.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/ansi-regex/package.json
Dependency Hierarchy:
eslint-7.6.0.tgz (Root Library)
strip-ansi-6.0.0.tgz
❌ ansi-regex-5.0.0.tgz (Vulnerable Library)
Found in base branch: master
Vulnerability Details
ansi-regex is vulnerable to Inefficient Regular Expression Complexity
Publish Date: 2021-09-17
URL: CVE-2021-3807
CVSS 3 Score Details (7.5 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://huntr.dev/bounties/5b3cf33b-ede0-4398-9974-800876dfd994/
Release Date: 2021-09-17
Fix Resolution (ansi-regex): 4.1.1
Direct dependency fix Resolution (eslint): 7.16.0
Fix Resolution (ansi-regex): 5.0.1
Direct dependency fix Resolution (eslint): 7.7.0
⛑️ Automatic Remediation is available for this issue
CVE-2020-28469 - Medium Severity Vulnerability
Vulnerable Library - glob-parent-5.1.1.tgz
Extract the non-magic parent path from a glob string.
Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-5.1.1.tgz
Path to dependency file: actions-set-secret/package.json
Path to vulnerable library: actions-set-secret/node_modules/glob-parent/package.json
Dependency Hierarchy:
eslint-7.6.0.tgz (Root Library)
❌ glob-parent-5.1.1.tgz (Vulnerable Library)
Found in base branch: master
Vulnerability Details
This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in enclosure containing path separator.
Publish Date: 2021-06-03
URL: CVE-2020-28469
CVSS 3 Score Details (5.3 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: Low
Integrity Impact: None
Availability Impact: None
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28469
Release Date: 2021-06-03
Fix Resolution: glob-parent - 5.1.2
CVE-2021-3795 - High Severity Vulnerability
Vulnerable Library - semver-regex-2.0.0.tgz
Regular expression for matching semver versions
Library home page: https://registry.npmjs.org/semver-regex/-/semver-regex-2.0.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/semver-regex/package.json
Dependency Hierarchy:
husky-4.2.5.tgz (Root Library)
find-versions-3.2.0.tgz
❌ semver-regex-2.0.0.tgz (Vulnerable Library)
Found in base branch: master
Vulnerability Details
semver-regex is vulnerable to Inefficient Regular Expression Complexity
Publish Date: 2021-09-15
URL: CVE-2021-3795
CVSS 3 Score Details (7.5 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://github.com/sindresorhus/semver-regex/releases/tag/v4.0.1
Release Date: 2021-09-15
Fix Resolution (semver-regex): 3.1.3
Direct dependency fix Resolution (husky): 4.3.7
⛑️ Automatic Remediation is available for this issue
CVE-2022-3517 - High Severity Vulnerability
Vulnerable Library - minimatch-3.0.4.tgz
a glob matcher in javascript
Library home page: https://registry.npmjs.org/minimatch/-/minimatch-3.0.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/minimatch/package.json
Dependency Hierarchy:
eslint-7.6.0.tgz (Root Library)
❌ minimatch-3.0.4.tgz (Vulnerable Library)
Found in base branch: master
Vulnerability Details
A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.
Publish Date: 2022-10-17
URL: CVE-2022-3517
CVSS 3 Score Details (7.5 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Release Date: 2022-10-17
Fix Resolution: minimatch - 3.0.5