How severe is CVE-2022-29220?

This vulnerability has a severity rating of MEDIUM with a CVSS score of 6.5 out of 10.

What type of vulnerability is CVE-2022-29220?

This is classified as CWE-283, which is a common weakness in software security.

CVE-2022-29220

MEDIUM Year: 2022

CVSS v3 Score

6.5

Medium

CVSS v2 Score

4.0

Medium

Weakness Type

CWE-283

View all →

Vulnerability Description

github-action-merge-dependabot is an action that automatically approves and merges dependabot pull requests (PRs). Prior to version 3.2.0, github-action-merge-dependabot does not check if a commit created by dependabot is verified with the proper GPG key. There is just a check if the actor is set to `dependabot[bot]` to determine if the PR is a legit PR. Theoretically, an owner of a seemingly valid and legit action in the pipeline can check if the PR is created by dependabot and if their own action has enough permissions to modify the PR in the pipeline. If so, they can modify the PR by adding a second seemingly valid and legit commit to the PR, as they can set arbitrarily the username and email in for commits in git. Because the bot only checks if the actor is valid, it would pass the malicious changes through and merge the PR automatically, without getting noticed by project maintainers. It would probably not be possible to determine where the malicious commit came from, as it would only say `dependabot[bot]` and the corresponding email-address. Version 3.2.0 contains a patch for this issue.

CVE-2024-27903

HIGH

CVSS:7.2(High)

OpenVPN plug-ins on Windows with OpenVPN 2.6.9 and earlier could be loaded from any directory, which allows an attacker to load an arbitrary plug-in which can be used to interact with the privileged O...

CWE-2832024

CVE-2025-47940

HIGH

CVSS:7.2(High)

TYPO3 is an open source, PHP based web content management system. Starting in version 10.0.0 and prior to versions 10.4.50 ELTS, 11.5.44 ELTS, 12.4.31 LTS, and 13.4.12 LTS, administrator-level backend...

CWE-2832025

CVE-2024-1853

MEDIUM

CVSS:5.5(Medium)

Zemana AntiLogger v2.74.204.664 is vulnerable to an Arbitrary Process Termination vulnerability by triggering the 0x80002048 IOCTL code of the zam64.sys and zamguard64.sys drivers.

CWE-2832024

CVE-2020-8554

MEDIUM

CVSS:5.0(Medium)

Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.externalIPs field, to intercept traffic to that IP address. Additionally, an attacker...

CWE-2832020

CVE-2021-24500

HIGH

CVSS:8.1(High)

Several AJAX actions available in the Workreap WordPress theme before 2.2.2 lacked CSRF protections, as well as allowing insecure direct object references that were not validated. This allows an attac...

CWE-2832021

CVE-2021-24501

HIGH

CVSS:8.1(High)

The Workreap WordPress theme before 2.2.2 had several AJAX actions missing authorization checks to verify that a user was authorized to perform critical operations such as modifying or deleting object...

CWE-2832021

CVE-2022-29220

Vulnerability Description

Related Vulnerabilities

CVE-2024-27903

CVE-2025-47940

CVE-2024-1853

CVE-2020-8554

CVE-2021-24500

CVE-2021-24501