CVE-2022-35954
Environment Variable Manipulation vulnerability in core (npm)
What is CVE-2022-35954 About?
This vulnerability impacts the `core.exportVariable` function, allowing attackers to manipulate environment variables due to a predictable delimiter. This enables the arbitrary assignment of values to other variables within GitHub Actions workflows. Exploitation is relatively straightforward for attackers who can control input to workflows.
Affected Software
Technical Details
The core.exportVariable function, used in GitHub Actions, employs a well-known delimiter (_GitHubActionsFileCommandDelimeter_) to separate variable assignments when writing to the GITHUB_ENV file. An attacker can inject this delimiter into a value that is passed to core.exportVariable from untrusted input. By including the delimiter and subsequent key-value pairs, the attacker can 'break out' of the intended variable assignment. This allows them to define or overwrite other arbitrary environment variables, including sensitive ones like PATH, which can lead to unexpected behavior, execution of malicious code, or privilege escalation within the workflow's execution environment.
What is the Impact of CVE-2022-35954?
Successful exploitation may allow attackers to modify arbitrary environment variables within a workflow, potentially leading to unauthorized command execution, privilege escalation, or disruption of the workflow's intended functionality.
What is the Exploitability of CVE-2022-35954?
Exploitation typically requires the ability to supply untrusted input to a GitHub Actions workflow that utilizes core.exportVariable. The complexity is low to medium, as it involves injecting a known delimiter into a string. Authentication to the GitHub repository is required to trigger a workflow, but the specific input causing the vulnerability can come from unauthenticated sources if the workflow processes external input (e.g., pull request titles). No specific privileges are required beyond the ability to trigger or influence a workflow run. This is a remote vulnerability, as it's exploited through interaction with a GitHub repository. The primary condition is that the workflow uses core.exportVariable with input that is not properly sanitized for the _GitHubActionsFileCommandDelimeter_ string. Risk factors include workflows that process user-controlled input (e.g., from issue comments, pull request metadata, or form submissions) and directly export it as variables without validation.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2022-35954?
Available Upgrade Options
- @actions/core
- <1.9.1 → Upgrade to 1.9.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/actions/toolkit
- https://github.com/actions/toolkit/security/advisories/GHSA-7r3h-m5j6-3q42
- https://osv.dev/vulnerability/GHSA-7r3h-m5j6-3q42
- https://github.com/actions/toolkit/commit/4beda9cbc00ba6eefe387a937c21087ccb8ee9df
- https://github.com/actions/toolkit/commit/4beda9cbc00ba6eefe387a937c21087ccb8ee9df
- https://github.com/actions/toolkit/security/advisories/GHSA-7r3h-m5j6-3q42
- https://nvd.nist.gov/vuln/detail/CVE-2022-35954
What are Similar Vulnerabilities to CVE-2022-35954?
Similar Vulnerabilities: CVE-2021-23640 , CVE-2021-29177 , CVE-2021-4191 , CVE-2021-3209 , CVE-2020-5204
