SYM_CONF_0024 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Exposed Dangerous Method or Function
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-749: Exposed Dangerous Method or Function |
| OWASP | A06:2017 - Security Misconfiguration |
| Confidence Level | Medium |
| Impact Level | Medium |
| Likelihood Level | Low |
Description
Enabling the ACTIONS_ALLOW_UNSECURE_COMMANDS environment variable in GitHub Actions allows the use of deprecated set-env and add-path commands, which are vulnerable to injection attacks. This makes it possible for attackers to manipulate environment variables in your workflow.
Impact
If exploited, an attacker could alter environment variables or the system path, potentially executing unauthorized code, stealing sensitive data, or compromising your CI/CD pipeline. This could lead to code theft, exposure of secrets, or broader system compromise.