Metadata

Id: 60fd272d-15f4-4d8f-afe4-77d9c6cc0453

Cloud Provider: github

Framework: CICD

Severity: Medium

Category: Insecure Configurations

Learn More

• Provider Reference

Description

The deprecated set-env and add-path commands can still be explicitly enabled by setting the ACTIONS_ALLOW_UNSECURE_COMMANDS environment variable to true. Depending on how this variable is used, an attacker could potentially modify the system path to run unintended commands, which may lead to arbitrary code execution.