SYM_CONF_0026 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Reliance on Insufficiently Trustworthy Component
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-1357: Reliance on Insufficiently Trustworthy Component |
| OWASP | A06:2021 - Vulnerable and Outdated Components |
| Confidence Level | High |
| Impact Level | Low |
| Likelihood Level | Low |
Description
A GitHub Action from a third-party repository is referenced without being pinned to a specific commit SHA. This means the action could change unexpectedly if the repository is updated or compromised.
Impact
If the referenced action is modified by its author or a bad actor, your workflow could automatically run untrusted or malicious code. This can lead to leaks of secrets, unauthorized access, or compromise of your CI/CD pipeline and related infrastructure.