CVE-2020-15272 - Vulnerability Details - OpenCVE

In the git-tag-annotation-action (open source GitHub Action) before version 1.0.1, an attacker can execute arbitrary (*) shell commands if they can control the value of [the `tag` input] or manage to alter the value of [the `GITHUB_REF` environment variable]. The problem has been patched in version 1.0.1. If you don't use the `tag` input you are most likely safe. The `GITHUB_REF` environment variable is protected by the GitHub Actions environment so attacks from there should be impossible. If you must use the `tag` input and cannot upgrade to `> 1.0.0` make sure that the value is not controlled by another Action.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Git-tag-annotation-action Project	Git-tag-annotation-action

Configuration 1 [-]

cpe:2.3:a:git-tag-annotation-action_project:git-tag-annotation-action:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/ericcornelissen/git-tag-annotation-action/commit/9f30756375cc4b1b6c66f274fc9c591fa901455a
https://github.com/ericcornelissen/git-tag-annotation-action/releases/tag/v1.0.1
https://github.com/ericcornelissen/git-tag-annotation-action/security/advisories/GHSA-hgx2-4pp9-357g

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2020-10-26T18:20:20

Updated: 2024-08-04T13:15:19.802Z

Reserved: 2020-06-25T00:00:00

Link: CVE-2020-15272

Vulnrichment

No data.

NVD

Status : Modified

Published: 2020-10-26T19:15:12.770

Modified: 2024-11-21T05:05:14.503

Link: CVE-2020-15272

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "git-tag-annotation-action", "vendor": "ericcornelissen", "versions": [{"status": "affected", "version": "< 1.0.1"}]}], "descriptions": [{"lang": "en", "value": "In the git-tag-annotation-action (open source GitHub Action) before version 1.0.1, an attacker can execute arbitrary (*) shell commands if they can control the value of [the `tag` input] or manage to alter the value of [the `GITHUB_REF` environment variable]. The problem has been patched in version 1.0.1. If you don't use the `tag` input you are most likely safe. The `GITHUB_REF` environment variable is protected by the GitHub Actions environment so attacks from there should be impossible. If you must use the `tag` input and cannot upgrade to `> 1.0.0` make sure that the value is not controlled by another Action."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-78", "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2020-10-26T18:20:20", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/ericcornelissen/git-tag-annotation-action/security/advisories/GHSA-hgx2-4pp9-357g"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/ericcornelissen/git-tag-annotation-action/commit/9f30756375cc4b1b6c66f274fc9c591fa901455a"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/ericcornelissen/git-tag-annotation-action/releases/tag/v1.0.1"}], "source": {"advisory": "GHSA-hgx2-4pp9-357g", "discovery": "UNKNOWN"}, "title": "Shell-injection in git-tag-annotation GitHub action", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2020-15272", "STATE": "PUBLIC", "TITLE": "Shell-injection in git-tag-annotation GitHub action"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "git-tag-annotation-action", "version": {"version_data": [{"version_value": "< 1.0.1"}]}}]}, "vendor_name": "ericcornelissen"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "In the git-tag-annotation-action (open source GitHub Action) before version 1.0.1, an attacker can execute arbitrary (*) shell commands if they can control the value of [the `tag` input] or manage to alter the value of [the `GITHUB_REF` environment variable]. The problem has been patched in version 1.0.1. If you don't use the `tag` input you are most likely safe. The `GITHUB_REF` environment variable is protected by the GitHub Actions environment so attacks from there should be impossible. If you must use the `tag` input and cannot upgrade to `> 1.0.0` make sure that the value is not controlled by another Action."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"}]}]}, "references": {"reference_data": [{"name": "https://github.com/ericcornelissen/git-tag-annotation-action/security/advisories/GHSA-hgx2-4pp9-357g", "refsource": "CONFIRM", "url": "https://github.com/ericcornelissen/git-tag-annotation-action/security/advisories/GHSA-hgx2-4pp9-357g"}, {"name": "https://github.com/ericcornelissen/git-tag-annotation-action/commit/9f30756375cc4b1b6c66f274fc9c591fa901455a", "refsource": "MISC", "url": "https://github.com/ericcornelissen/git-tag-annotation-action/commit/9f30756375cc4b1b6c66f274fc9c591fa901455a"}, {"name": "https://github.com/ericcornelissen/git-tag-annotation-action/releases/tag/v1.0.1", "refsource": "MISC", "url": "https://github.com/ericcornelissen/git-tag-annotation-action/releases/tag/v1.0.1"}]}, "source": {"advisory": "GHSA-hgx2-4pp9-357g", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T13:15:19.802Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/ericcornelissen/git-tag-annotation-action/security/advisories/GHSA-hgx2-4pp9-357g"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/ericcornelissen/git-tag-annotation-action/commit/9f30756375cc4b1b6c66f274fc9c591fa901455a"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/ericcornelissen/git-tag-annotation-action/releases/tag/v1.0.1"}]}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2020-15272", "datePublished": "2020-10-26T18:20:20", "dateReserved": "2020-06-25T00:00:00", "dateUpdated": "2024-08-04T13:15:19.802Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:git-tag-annotation-action_project:git-tag-annotation-action:*:*:*:*:*:*:*:*", "matchCriteriaId": "B85C9E7D-AEBC-4F87-8234-10AA658A7EBE", "versionEndExcluding": "1.0.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "In the git-tag-annotation-action (open source GitHub Action) before version 1.0.1, an attacker can execute arbitrary (*) shell commands if they can control the value of [the `tag` input] or manage to alter the value of [the `GITHUB_REF` environment variable]. The problem has been patched in version 1.0.1. If you don't use the `tag` input you are most likely safe. The `GITHUB_REF` environment variable is protected by the GitHub Actions environment so attacks from there should be impossible. If you must use the `tag` input and cannot upgrade to `> 1.0.0` make sure that the value is not controlled by another Action."}, {"lang": "es", "value": "En la git-tag-annotation-action (GitHub Action de c\u00f3digo abierto) versiones anteriores a 1.0.1, un atacante puede ejecutar comandos de shell arbitrarios (*) si puede controlar el valor de [the \"tag\" input] o lograr alterar la valor de [the \"GITHUB_REF\" environment variable]. El problema ha sido parcheado en la versi\u00f3n 1.0.1. Si no usa la entrada \"tag\", lo m\u00e1s probable es que est\u00e9 seguro. La variable de entorno \"GITHUB_REF\" est\u00e1 protegida por el entorno de GitHub Actions, por lo que los ataques desde all\u00ed deber\u00edan ser imposibles. Si debe utilizar la entrada \"tag\" y no puede actualizar a \"versiones posteriores a 1.0.0\", aseg\u00farese de que el valor no est\u00e9 controlado por otra Acci\u00f3n"}], "id": "CVE-2020-15272", "lastModified": "2024-11-21T05:05:14.503", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 5.8, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.6, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 5.8, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-10-26T19:15:12.770", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/ericcornelissen/git-tag-annotation-action/commit/9f30756375cc4b1b6c66f274fc9c591fa901455a"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/ericcornelissen/git-tag-annotation-action/releases/tag/v1.0.1"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/ericcornelissen/git-tag-annotation-action/security/advisories/GHSA-hgx2-4pp9-357g"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/ericcornelissen/git-tag-annotation-action/commit/9f30756375cc4b1b6c66f274fc9c591fa901455a"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://github.com/ericcornelissen/git-tag-annotation-action/releases/tag/v1.0.1"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://github.com/ericcornelissen/git-tag-annotation-action/security/advisories/GHSA-hgx2-4pp9-357g"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-78"}], "source": "security-advisories@github.com", "type": "Secondary"}]}