How severe is CVE-2022-35954?

This vulnerability has a severity rating of MEDIUM with a CVSS score of 5 out of 10.

What type of vulnerability is CVE-2022-35954?

This is classified as CWE-77, which is a common weakness in software security.

CVE-2022-35954 - MEDIUM Severity | CVSS 5

Vulnerability Description

The GitHub Actions ToolKit provides a set of packages to make creating actions easier. The `core.exportVariable` function uses a well known delimiter that attackers can use to break out of that specific variable and assign values to other arbitrary variables. Workflows that write untrusted values to the `GITHUB_ENV` file may cause the path or other environment variables to be modified without the intention of the workflow or action author. Users should upgrade to `@actions/core v1.9.1`. If you are unable to upgrade the `@actions/core` package, you can modify your action to ensure that any user input does not contain the delimiter `_GitHubActionsFileCommandDelimeter_` before calling `core.exportVariable`.

Related Vulnerabilities

CVE-2018-19013

MEDIUM

CVSS:5.0(Medium)

An attacker could inject commands to delete files and/or delete the contents of a file on CX-Supervisor (Versions 3.42 and prior) through a specially crafted project file.

CWE-772018

CVE-2024-28135

MEDIUM

CVSS:5.0(Medium)

A low privileged remote attacker can use a command injection vulnerability in the API which performs remote code execution as the user-app user due to improper input validation. The confidentiality is...

CWE-772024

CVE-2025-5030

LOW

CVSS:5.0(Medium)

A vulnerability was found in Ackites KillWxapkg up to 2.4.1. It has been declared as critical. This vulnerability affects the function processFile of the file internal/unpack/unpack.go of the componen...

CWE-772025

CVE-2019-3913

MEDIUM

CVSS:4.9(Medium)

Command manipulation in LabKey Server Community Edition before 18.3.0-61806.763 allows an authenticated remote attacker to unmount any drive on the system leading to denial of service.

CWE-772019

CVE-2020-5299

MEDIUM

CVSS:5.1(Medium)

In OctoberCMS (october/october composer package) versions from 1.0.319 and before 1.0.466, any users with the ability to modify any data that could eventually be exported as a CSV file from the `Impor...

CWE-772020

CVE-2023-31473

MEDIUM

CVSS:4.9(Medium)

An issue was discovered on GL.iNet devices before 3.216. There is an arbitrary file write in which an empty file can be created anywhere on the filesystem. This is caused by a command injection vulner...

CWE-772023