Vulnerability Details : CVE-2020-15272
In the git-tag-annotation-action (open source GitHub Action) before version 1.0.1, an attacker can execute arbitrary (*) shell commands if they can control the value of [the `tag` input] or manage to alter the value of [the `GITHUB_REF` environment variable]. The problem has been patched in version 1.0.1. If you don't use the `tag` input you are most likely safe. The `GITHUB_REF` environment variable is protected by the GitHub Actions environment so attacks from there should be impossible. If you must use the `tag` input and cannot upgrade to `> 1.0.0` make sure that the value is not controlled by another Action.
Products affected by CVE-2020-15272
- cpe:2.3:a:git-tag-annotation-action_project:git-tag-annotation-action:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2020-15272
0.09%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 39 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2020-15272
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
6.5
|
MEDIUM | AV:N/AC:L/Au:S/C:P/I:P/A:P |
8.0
|
6.4
|
NIST | |
9.6
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N |
3.1
|
5.8
|
NIST | |
8.7
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N |
2.3
|
5.8
|
GitHub, Inc. |
CWE ids for CVE-2020-15272
-
The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.Assigned by: security-advisories@github.com (Primary)
References for CVE-2020-15272
-
https://github.com/ericcornelissen/git-tag-annotation-action/releases/tag/v1.0.1
Release Release v1.0.1 · ericcornelissen/git-tag-annotation-action · GitHubThird Party Advisory
-
https://github.com/ericcornelissen/git-tag-annotation-action/commit/9f30756375cc4b1b6c66f274fc9c591fa901455a
Fix shell injection bug · ericcornelissen/git-tag-annotation-action@9f30756 · GitHubPatch;Third Party Advisory
-
https://github.com/ericcornelissen/git-tag-annotation-action/security/advisories/GHSA-hgx2-4pp9-357g
Shell-injection through Action input · Advisory · ericcornelissen/git-tag-annotation-action · GitHubThird Party Advisory
Jump to