Exposed Dangerous Method or Function
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-749: Exposed Dangerous Method or Function |
| OWASP | A06:2017 - Security Misconfiguration |
| Confidence Level | Medium |
| Impact Level | Medium |
| Likelihood Level | Low |
Description#
Enabling the ACTIONS_ALLOW_UNSECURE_COMMANDS environment variable in GitHub Actions allows the use of deprecated set-env and add-path commands, which are vulnerable to injection attacks. This makes it possible for attackers to manipulate environment variables in your workflow.
Impact#
If exploited, an attacker could alter environment variables or the system path, potentially executing unauthorized code, stealing sensitive data, or compromising your CI/CD pipeline. This could lead to code theft, exposure of secrets, or broader system compromise.