Git Tag Annotation Action
CVE-2020-15272
CRITICAL
Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
Lifecycle Timeline
1DescriptionNVD
In the git-tag-annotation-action (open source GitHub Action) before version 1.0.1, an attacker can execute arbitrary (*) shell commands if they can control the value of [the tag input] or manage to alter the value of [the GITHUB_REF environment variable]. The problem has been patched in version 1.0.1. If you don't use the tag input you are most likely safe. The GITHUB_REF environment variable is protected by the GitHub Actions environment so attacks from there should be impossible. If you must use the tag input and cannot upgrade to > 1.0.0 make sure that the value is not controlled by another Action.
AnalysisAI
In the git-tag-annotation-action (open source GitHub Action) before version 1.0.1, an attacker can execute arbitrary (*) shell commands if they can control the value of [the tag input] or manage to. Rated critical severity (CVSS 9.6), this vulnerability is remotely exploitable, low attack complexity. This OS Command Injection vulnerability could allow attackers to execute arbitrary operating system commands on the host.
Technical ContextAI
This vulnerability is classified as OS Command Injection (CWE-78), which allows attackers to execute arbitrary operating system commands on the host. In the git-tag-annotation-action (open source GitHub Action) before version 1.0.1, an attacker can execute arbitrary (*) shell commands if they can control the value of [the tag input] or manage to alter the value of [the GITHUB_REF environment variable]. The problem has been patched in version 1.0.1. If you don't use the tag input you are most likely safe. The GITHUB_REF environment variable is protected by the GitHub Actions environment so attacks from there should be impossible. If you must use the tag input and cannot upgrade to > 1.0.0 make sure that the value is not controlled by another Action. Affected products include: Git-Tag-Annotation-Action Project Git-Tag-Annotation-Action. Version information: version 1.0.1.
RemediationAI
A vendor patch is available. Apply the latest security update as soon as possible. Avoid passing user input to shell commands. Use language-specific APIs instead of shell execution. Apply strict input validation with allowlists.
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today