CVE-2025-30066

15 Mar 2025

Título es
CVE-2025-30066

Sáb, 15/03/2025 – 06:15

Tipo
CWE-506

Gravedad 2.0 Txt
Pendiente de análisis

Título en

CVE-2025-30066

Descripción en
tj-actions changed-files through 45.0.7 allows remote attackers to discover secrets by reading actions logs. (The tags v1 through v45.0.7 were not originally affected, but were modified by a threat actor to point at commit 0e58ed8, which contains the malicious updateFeatures code.)

15/03/2025

Vector CVSS:3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

Gravedad 3.1 (CVSS 3.1 Base Score)
8.60

Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
HIGH

Referencias

https://github.com/github/docs/blob/962a1c8dccb8c0f66548b324e5b921b5e4fbc3d6/content/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions.md?plain=1#L191-L193

https://github.com/tj-actions/changed-files/issues/2463

https://news.ycombinator.com/item?id=43368870

https://semgrep.dev/blog/2025/popular-github-action-tj-actionschanged-files-is-compromised/

https://www.stepsecurity.io/blog/harden-runner-detection-tj-actions-changed-files-action-is-compromised

Enviar en el boletín
Off