What is CVE-2022-35954?

CVE-2022-35954 is a vulnerability in the GitHub Actions Toolkit that allows attackers to assign values to arbitrary variables by breaking out of a specific variable using a well-known delimiter.

What is the severity of CVE-2022-35954?

CVE-2022-35954 has a severity of medium with a severity value of 5.

What software versions are affected by CVE-2022-35954?

The affected software version for CVE-2022-35954 is GitHub Toolkit 1.9.1 (Node.js).

How can I fix CVE-2022-35954?

To fix CVE-2022-35954, update to a version of GitHub Toolkit above 1.9.1.

Are there any references available for CVE-2022-35954?

Yes, you can find additional information about CVE-2022-35954 in the GitHub Advisory GHSA-7r3h-m5j6-3q42.

Vulnerability/
CVE-2022-35954

medium

CWE

74 77

13/8/2022

3/8/2024

CVE-2022-35954: Delimiter injection vulnerability in @actions/core exportVariable

First published: Sat Aug 13 2022(Updated: )

The GitHub Actions ToolKit provides a set of packages to make creating actions easier. The `core.exportVariable` function uses a well known delimiter that attackers can use to break out of that specific variable and assign values to other arbitrary variables. Workflows that write untrusted values to the `GITHUB_ENV` file may cause the path or other environment variables to be modified without the intention of the workflow or action author. Users should upgrade to `@actions/core v1.9.1`. If you are unable to upgrade the `@actions/core` package, you can modify your action to ensure that any user input does not contain the delimiter `_GitHubActionsFileCommandDelimeter_` before calling `core.exportVariable`.

Credit: security-advisories@github.com

Affected Software	Affected Version	How to fix
Github Toolkit	<1.9.1

Remedy

https://github.com/actions/toolkit/commit/4beda9cbc00ba6eefe387a937c21087ccb8ee9df

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is CVE-2022-35954?
CVE-2022-35954 is a vulnerability in the GitHub Actions Toolkit that allows attackers to assign values to arbitrary variables by breaking out of a specific variable using a well-known delimiter.
What is the severity of CVE-2022-35954?
CVE-2022-35954 has a severity of medium with a severity value of 5.
What software versions are affected by CVE-2022-35954?
The affected software version for CVE-2022-35954 is GitHub Toolkit 1.9.1 (Node.js).
How can I fix CVE-2022-35954?
To fix CVE-2022-35954, update to a version of GitHub Toolkit above 1.9.1.
Are there any references available for CVE-2022-35954?
Yes, you can find additional information about CVE-2022-35954 in the GitHub Advisory GHSA-7r3h-m5j6-3q42.

collector/nvd-index
agent/type
agent/references
agent/softwarecombine
collector/mitre-cve
source/MITRE
agent/last-modified-date
agent/remedy
agent/author
agent/weakness
agent/title
agent/severity
agent/tags
agent/first-publish-date
agent/event
agent/description
vendor/github
canonical/github toolkit

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.