SYM_CONF_0028 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Exposure of Sensitive Information to an Unauthorized Actor
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-200: Exposure of Sensitive Information to an Unauthorized Actor |
| OWASP | A06:2017 - Security Misconfiguration |
| Confidence Level | Low |
| Impact Level | Medium |
| Likelihood Level | Low |
Description
Sensitive information in GitHub Actions workflows may be exposed if the 'add-mask' command is not reliably used or if workflow command processing is stopped, causing secrets to appear in logs. Attackers can exploit this by disabling masking, leading to unintended secret disclosure.
Impact
If exploited, secret tokens or other sensitive data could be leaked in public or shared workflow logs, allowing attackers to access protected resources, compromise accounts, or escalate their privileges within your organization.