fkie_cve-2025-31479
Vulnerability from fkie_nvd
Published
2025-04-02 22:15
Modified
2025-04-07 14:18
Severity ?
Summary
canonical/get-workflow-version-action is a GitHub composite action to get commit SHA that GitHub Actions reusable workflow was called with. Prior to 1.0.1, if the get-workflow-version-action step fails, the exception output may include the GITHUB_TOKEN. If the full token is included in the exception output, GitHub will automatically redact the secret from the GitHub Actions logs. However, the token may be truncated—causing part of the GITHUB_TOKEN to be displayed in plaintext in the GitHub Actions logs. Anyone with read access to the GitHub repository can view GitHub Actions logs. For public repositories, anyone can view the GitHub Actions logs. The opportunity to exploit this vulnerability is limited—the GITHUB_TOKEN is automatically revoked when the job completes. However, there is an opportunity for an attack in the time between the GITHUB_TOKEN being displayed in the logs and the completion of the job. Users using the github-token input are impacted. This vulnerability is fixed in 1.0.1.
References
Impacted products
| Vendor | Product | Version |
|---|
{
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "canonical/get-workflow-version-action is a GitHub composite action to get commit SHA that GitHub Actions reusable workflow was called with. Prior to 1.0.1, if the get-workflow-version-action step fails, the exception output may include the GITHUB_TOKEN. If the full token is included in the exception output, GitHub will automatically redact the secret from the GitHub Actions logs. However, the token may be truncated\u2014causing part of the GITHUB_TOKEN to be displayed in plaintext in the GitHub Actions logs. Anyone with read access to the GitHub repository can view GitHub Actions logs. For public repositories, anyone can view the GitHub Actions logs. The opportunity to exploit this vulnerability is limited\u2014the GITHUB_TOKEN is automatically revoked when the job completes. However, there is an opportunity for an attack in the time between the GITHUB_TOKEN being displayed in the logs and the completion of the job. Users using the github-token input are impacted. This vulnerability is fixed in 1.0.1."
},
{
"lang": "es",
"value": "Canonical/Get-Workflow-Version-Action es una acci\u00f3n compuesta de GitHub para obtener commit SHA con el que se llam\u00f3 el flujo de trabajo reutilizable de GitHub. Antes de 1.0.1, si el paso Get-Workflow-Version-Action falla, la salida de excepci\u00f3n puede incluir el GitHub_Token. Si el token completo se incluye en la salida de excepci\u00f3n, GitHub redactar\u00e1 autom\u00e1ticamente el secreto de los registros de acciones de GitHub. Sin embargo, el token puede ser truncado, lo que se pone en la parte del GitHub_Token que se mostrar\u00e1 en texto plano en los registros de acciones de GitHub. Cualquier persona con acceso de lectura al repositorio de GitHub puede ver registros de acciones de GitHub. Para los repositorios p\u00fablicos, cualquiera puede ver los registros de acciones de GitHub. La oportunidad de explotar esta vulnerabilidad es limitada: el GitHub_Token se revoca autom\u00e1ticamente cuando se completa el trabajo. Sin embargo, hay una oportunidad para un ataque en el tiempo entre el GitHub_Token que se muestra en los registros y la finalizaci\u00f3n del trabajo. Los usuarios que usan la entrada GitHub-Token se ven afectados. Esta vulnerabilidad se fija en 1.0.1."
}
],
"id": "CVE-2025-31479",
"lastModified": "2025-04-07T14:18:34.453",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.8,
"impactScore": 5.8,
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2025-04-02T22:15:20.563",
"references": [
{
"source": "security-advisories@github.com",
"url": "https://github.com/canonical/get-workflow-version-action/commit/88281a62e96e1c0ef4df30352ae0668a9f3e3369"
},
{
"source": "security-advisories@github.com",
"url": "https://github.com/canonical/get-workflow-version-action/issues/2"
},
{
"source": "security-advisories@github.com",
"url": "https://github.com/canonical/get-workflow-version-action/security/advisories/GHSA-26wh-cc3r-w6pj"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Awaiting Analysis",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-532"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…