Описание
reviewdog/action-setup is a GitHub action that installs reviewdog. reviewdog/action-setup@v1 was compromised March 11, 2025, between 18:42 and 20:31 UTC, with malicious code added that dumps exposed secrets to Github Actions Workflow Logs. Other reviewdog actions that use reviewdog/action-setup@v1 that would also be compromised, regardless of version or pinning method, are reviewdog/action-shellcheck, reviewdog/action-composite-template, reviewdog/action-staticcheck, reviewdog/action-ast-grep, and reviewdog/action-typos.
Ссылки
- Patch
- Patch
- Issue TrackingVendor Advisory
- Vendor Advisory
- ExploitThird Party Advisory
- US Government Resource
Уязвимые конфигурации
Одно из
EPSS
8.6 High
CVSS3
Дефекты
Связанные уязвимости
Multiple Reviewdog actions were compromised during a specific time period
Уязвимость компонента reviewdog/action-setup платформы для совместной разработки GitHub, позволяющая нарушителю раскрыть защищаемую информацию
EPSS
8.6 High
CVSS3