Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
act: Unrestricted set-env and add-path command processing enables environment injection
Vulnerability Description
act is a project which allows for local running of github actions. Prior to version 0.2.86, act unconditionally processes the deprecated ::set-env:: and ::add-path:: workflow commands, which was disabled due to environment injection risks. When a workflow step echoes untrusted data to stdout, an attacker can inject these commands to set arbitrary environment variables or modify the PATH for all subsequent steps in the job. This issue has been patched in version 0.2.86.
CVSS Information
N/A
Vulnerability Type
输出中的特殊元素转义处理不恰当(注入)
Vulnerability Title
Act 注入漏洞
Vulnerability Description
Act是nektos开源的一个本地运行GitHub Actions的工具。 Act 0.2.86之前版本存在注入漏洞,该漏洞源于无条件处理已弃用的::set-env::和::add-path::工作流命令,可能导致设置任意环境变量或修改后续步骤的PATH。
CVSS Information
N/A
Vulnerability Type
N/A