Vulnerabilites related to tj-actions - changed-files
cve-2025-30066
Vulnerability from cvelistv5
Published
2025-03-15 00:00
Modified
2025-03-22 03:55
Severity ?
EPSS score ?
Summary
tj-actions changed-files before 46 allows remote attackers to discover secrets by reading actions logs. (The tags v1 through v45.0.7 were affected on 2025-03-14 and 2025-03-15 because they were modified by a threat actor to point at commit 0e58ed8, which contained malicious updateFeatures code.)
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| tj-actions | changed-files |
Version: 1 < 46 |
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2025-30066", options: [ { Exploitation: "active", }, { Automatable: "yes", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2025-03-17T00:00:00+00:00", version: "2.0.3", }, type: "ssvc", }, }, { other: { content: { dateAdded: "2025-03-18", reference: "https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json", }, type: "kev", }, }, ], providerMetadata: { dateUpdated: "2025-03-22T03:55:43.512Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, timeline: [ { lang: "en", time: "2025-03-18T00:00:00+00:00", value: "CVE-2025-30066 added to CISA KEV", }, ], title: "CISA ADP Vulnrichment", }, { providerMetadata: { dateUpdated: "2025-03-18T21:05:17.427Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { url: "https://www.cisa.gov/news-events/alerts/2025/03/18/supply-chain-compromise-third-party-github-action-cve-2025-30066", }, ], title: "CVE Program Container", x_generator: { engine: "ADPogram 0.0.1", }, }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "changed-files", vendor: "tj-actions", versions: [ { lessThan: "46", status: "affected", version: "1", versionType: "custom", }, ], }, ], cpeApplicability: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:tj-actions:changed-files:*:*:*:*:*:*:*:*", versionEndExcluding: "46", versionStartIncluding: "1", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], descriptions: [ { lang: "en", value: "tj-actions changed-files before 46 allows remote attackers to discover secrets by reading actions logs. (The tags v1 through v45.0.7 were affected on 2025-03-14 and 2025-03-15 because they were modified by a threat actor to point at commit 0e58ed8, which contained malicious updateFeatures code.)", }, ], metrics: [ { cvssV3_1: { baseScore: 8.6, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", version: "3.1", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-506", description: "CWE-506 Embedded Malicious Code", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2025-03-18T21:59:21.617Z", orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", shortName: "mitre", }, references: [ { url: "https://github.com/github/docs/blob/962a1c8dccb8c0f66548b324e5b921b5e4fbc3d6/content/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions.md?plain=1#L191-L193", }, { url: "https://github.com/tj-actions/changed-files/issues/2463", }, { url: "https://www.stepsecurity.io/blog/harden-runner-detection-tj-actions-changed-files-action-is-compromised", }, { url: "https://semgrep.dev/blog/2025/popular-github-action-tj-actionschanged-files-is-compromised/", }, { url: "https://news.ycombinator.com/item?id=43368870", }, { url: "https://web.archive.org/web/20250315060250/https://github.com/tj-actions/changed-files/issues/2463", }, { url: "https://news.ycombinator.com/item?id=43367987", }, { url: "https://github.com/rackerlabs/genestack/pull/903", }, { url: "https://github.com/chains-project/maven-lockfile/pull/1111", }, { url: "https://sysdig.com/blog/detecting-and-mitigating-the-tj-actions-changed-files-supply-chain-attack-cve-2025-30066/", }, { url: "https://github.com/espressif/arduino-esp32/issues/11127", }, { url: "https://github.com/modal-labs/modal-examples/issues/1100", }, { url: "https://github.com/tj-actions/changed-files/issues/2464", }, { url: "https://github.com/tj-actions/changed-files/blob/45fb12d7a8bedb4da42342e52fe054c6c2c3fd73/README.md?plain=1#L20-L28", }, { url: "https://www.wiz.io/blog/github-action-tj-actions-changed-files-supply-chain-attack-cve-2025-30066", }, { url: "https://www.stream.security/post/github-action-supply-chain-attack-exposes-secrets-what-you-need-to-know-and-how-to-respond", }, { url: "https://www.sweet.security/blog/cve-2025-30066-tj-actions-supply-chain-attack", }, { url: "https://github.com/tj-actions/changed-files/issues/2477", }, { url: "https://blog.gitguardian.com/compromised-tj-actions/", }, ], x_generator: { engine: "enrichogram 0.0.1", }, }, }, cveMetadata: { assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", assignerShortName: "mitre", cveId: "CVE-2025-30066", datePublished: "2025-03-15T00:00:00.000Z", dateReserved: "2025-03-15T00:00:00.000Z", dateUpdated: "2025-03-22T03:55:43.512Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2023-51664
Vulnerability from cvelistv5
Published
2023-12-27 16:58
Modified
2024-09-25 20:17
Severity ?
EPSS score ?
Summary
tj-actions/changed-files is a Github action to retrieve all files and directories. Prior to 41.0.0, the `tj-actions/changed-files` workflow allows for command injection in changed filenames, allowing an attacker to execute arbitrary code and potentially leak secrets. This issue may lead to arbitrary command execution in the GitHub Runner. This vulnerability has been addressed in version 41.0.0. Users are advised to upgrade.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| tj-actions | changed-files |
Version: < 41.0.0 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T22:40:34.150Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "https://github.com/tj-actions/changed-files/security/advisories/GHSA-mcph-m25j-8j63", tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://github.com/tj-actions/changed-files/security/advisories/GHSA-mcph-m25j-8j63", }, { name: "https://github.com/tj-actions/changed-files/commit/0102c07446a3cad972f4afcbd0ee4dbc4b6d2d1b", tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/tj-actions/changed-files/commit/0102c07446a3cad972f4afcbd0ee4dbc4b6d2d1b", }, { name: "https://github.com/tj-actions/changed-files/commit/716b1e13042866565e00e85fd4ec490e186c4a2f", tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/tj-actions/changed-files/commit/716b1e13042866565e00e85fd4ec490e186c4a2f", }, { name: "https://github.com/tj-actions/changed-files/commit/ff2f6e6b91913a7be42be1b5917330fe442f2ede", tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/tj-actions/changed-files/commit/ff2f6e6b91913a7be42be1b5917330fe442f2ede", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2023-51664", options: [ { Exploitation: "poc", }, { Automatable: "no", }, { "Technical Impact": "total", }, ], role: "CISA Coordinator", timestamp: "2024-09-25T20:15:25.395923Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-25T20:17:19.352Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { product: "changed-files", vendor: "tj-actions", versions: [ { status: "affected", version: "< 41.0.0", }, ], }, ], descriptions: [ { lang: "en", value: "tj-actions/changed-files is a Github action to retrieve all files and directories. Prior to 41.0.0, the `tj-actions/changed-files` workflow allows for command injection in changed filenames, allowing an attacker to execute arbitrary code and potentially leak secrets. This issue may lead to arbitrary command execution in the GitHub Runner. This vulnerability has been addressed in version 41.0.0. Users are advised to upgrade.", }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.3, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N", version: "3.1", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-77", description: "CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')", lang: "en", type: "CWE", }, ], }, { descriptions: [ { cweId: "CWE-74", description: "CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2023-12-27T16:58:31.908Z", orgId: "a0819718-46f1-4df5-94e2-005712e83aaa", shortName: "GitHub_M", }, references: [ { name: "https://github.com/tj-actions/changed-files/security/advisories/GHSA-mcph-m25j-8j63", tags: [ "x_refsource_CONFIRM", ], url: "https://github.com/tj-actions/changed-files/security/advisories/GHSA-mcph-m25j-8j63", }, { name: "https://github.com/tj-actions/changed-files/commit/0102c07446a3cad972f4afcbd0ee4dbc4b6d2d1b", tags: [ "x_refsource_MISC", ], url: "https://github.com/tj-actions/changed-files/commit/0102c07446a3cad972f4afcbd0ee4dbc4b6d2d1b", }, { name: "https://github.com/tj-actions/changed-files/commit/716b1e13042866565e00e85fd4ec490e186c4a2f", tags: [ "x_refsource_MISC", ], url: "https://github.com/tj-actions/changed-files/commit/716b1e13042866565e00e85fd4ec490e186c4a2f", }, { name: "https://github.com/tj-actions/changed-files/commit/ff2f6e6b91913a7be42be1b5917330fe442f2ede", tags: [ "x_refsource_MISC", ], url: "https://github.com/tj-actions/changed-files/commit/ff2f6e6b91913a7be42be1b5917330fe442f2ede", }, ], source: { advisory: "GHSA-mcph-m25j-8j63", discovery: "UNKNOWN", }, title: "tj-actions/changed-files command injection in output filenames", }, }, cveMetadata: { assignerOrgId: "a0819718-46f1-4df5-94e2-005712e83aaa", assignerShortName: "GitHub_M", cveId: "CVE-2023-51664", datePublished: "2023-12-27T16:58:31.908Z", dateReserved: "2023-12-21T14:14:26.224Z", dateUpdated: "2024-09-25T20:17:19.352Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
Vulnerability from fkie_nvd
Published
2025-03-15 06:15
Modified
2025-03-29 01:00
Severity ?
8.6 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
8.6 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
8.6 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
Summary
tj-actions changed-files before 46 allows remote attackers to discover secrets by reading actions logs. (The tags v1 through v45.0.7 were affected on 2025-03-14 and 2025-03-15 because they were modified by a threat actor to point at commit 0e58ed8, which contained malicious updateFeatures code.)
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| tj-actions | changed-files | * |
{ cisaActionDue: "2025-04-08", cisaExploitAdd: "2025-03-18", cisaRequiredAction: "Apply mitigations as set forth in the CISA instructions linked below. Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.", cisaVulnerabilityName: "tj-actions/changed-files GitHub Action Embedded Malicious Code Vulnerability", configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:tj-actions:changed-files:*:*:*:*:*:*:*:*", matchCriteriaId: "23B2BE4B-AC69-4088-9ABD-ACDB46ABAA9A", versionEndIncluding: "45.0.7", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "tj-actions changed-files before 46 allows remote attackers to discover secrets by reading actions logs. (The tags v1 through v45.0.7 were affected on 2025-03-14 and 2025-03-15 because they were modified by a threat actor to point at commit 0e58ed8, which contained malicious updateFeatures code.)", }, { lang: "es", value: "Los archivos modificados de tj-actions anteriores a la versión 46 permiten a atacantes remotos descubrir secretos leyendo los registros de acciones. (Las etiquetas v1 a v45.0.7 se vieron afectadas el 14 y el 15 de marzo de 2025 porque fueron modificadas por un actor de amenazas para apuntar a el commit 0e58ed8, que contenía código malicioso de updateFeatures).", }, ], id: "CVE-2025-30066", lastModified: "2025-03-29T01:00:02.337", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 8.6, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 4, source: "cve@mitre.org", type: "Secondary", }, { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 8.6, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 4, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2025-03-15T06:15:12.193", references: [ { source: "cve@mitre.org", tags: [ "Exploit", "Third Party Advisory", ], url: "https://blog.gitguardian.com/compromised-tj-actions/", }, { source: "cve@mitre.org", tags: [ "Issue Tracking", ], url: "https://github.com/chains-project/maven-lockfile/pull/1111", }, { source: "cve@mitre.org", tags: [ "Issue Tracking", ], url: "https://github.com/espressif/arduino-esp32/issues/11127", }, { source: "cve@mitre.org", tags: [ "Product", ], url: "https://github.com/github/docs/blob/962a1c8dccb8c0f66548b324e5b921b5e4fbc3d6/content/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions.md?plain=1#L191-L193", }, { source: "cve@mitre.org", tags: [ "Issue Tracking", ], url: "https://github.com/modal-labs/modal-examples/issues/1100", }, { source: "cve@mitre.org", tags: [ "Issue Tracking", ], url: "https://github.com/rackerlabs/genestack/pull/903", }, { source: "cve@mitre.org", tags: [ "Product", ], url: "https://github.com/tj-actions/changed-files/blob/45fb12d7a8bedb4da42342e52fe054c6c2c3fd73/README.md?plain=1#L20-L28", }, { source: "cve@mitre.org", tags: [ "Issue Tracking", ], url: "https://github.com/tj-actions/changed-files/issues/2463", }, { source: "cve@mitre.org", tags: [ "Issue Tracking", ], url: "https://github.com/tj-actions/changed-files/issues/2464", }, { source: "cve@mitre.org", tags: [ "Issue Tracking", ], url: "https://github.com/tj-actions/changed-files/issues/2477", }, { source: "cve@mitre.org", tags: [ "Issue Tracking", "Third Party Advisory", ], url: "https://news.ycombinator.com/item?id=43367987", }, { source: "cve@mitre.org", tags: [ "Issue Tracking", "Third Party Advisory", ], url: "https://news.ycombinator.com/item?id=43368870", }, { source: "cve@mitre.org", tags: [ "Third Party Advisory", ], url: "https://semgrep.dev/blog/2025/popular-github-action-tj-actionschanged-files-is-compromised/", }, { source: "cve@mitre.org", tags: [ "Mitigation", "Third Party Advisory", ], url: "https://sysdig.com/blog/detecting-and-mitigating-the-tj-actions-changed-files-supply-chain-attack-cve-2025-30066/", }, { source: "cve@mitre.org", tags: [ "Issue Tracking", ], url: "https://web.archive.org/web/20250315060250/https://github.com/tj-actions/changed-files/issues/2463", }, { source: "cve@mitre.org", tags: [ "Exploit", "Mitigation", "Third Party Advisory", ], url: "https://www.stepsecurity.io/blog/harden-runner-detection-tj-actions-changed-files-action-is-compromised", }, { source: "cve@mitre.org", tags: [ "Third Party Advisory", ], url: "https://www.stream.security/post/github-action-supply-chain-attack-exposes-secrets-what-you-need-to-know-and-how-to-respond", }, { source: "cve@mitre.org", tags: [ "Third Party Advisory", ], url: "https://www.sweet.security/blog/cve-2025-30066-tj-actions-supply-chain-attack", }, { source: "cve@mitre.org", tags: [ "Third Party Advisory", ], url: "https://www.wiz.io/blog/github-action-tj-actions-changed-files-supply-chain-attack-cve-2025-30066", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", "US Government Resource", ], url: "https://www.cisa.gov/news-events/alerts/2025/03/18/supply-chain-compromise-third-party-github-action-cve-2025-30066", }, ], sourceIdentifier: "cve@mitre.org", vulnStatus: "Analyzed", weaknesses: [ { description: [ { lang: "en", value: "CWE-506", }, ], source: "cve@mitre.org", type: "Secondary", }, { description: [ { lang: "en", value: "NVD-CWE-Other", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2023-12-27 17:15
Modified
2024-11-21 08:38
Severity ?
7.3 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
tj-actions/changed-files is a Github action to retrieve all files and directories. Prior to 41.0.0, the `tj-actions/changed-files` workflow allows for command injection in changed filenames, allowing an attacker to execute arbitrary code and potentially leak secrets. This issue may lead to arbitrary command execution in the GitHub Runner. This vulnerability has been addressed in version 41.0.0. Users are advised to upgrade.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| tj-actions | changed-files | * |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:tj-actions:changed-files:*:*:*:*:*:*:*:*", matchCriteriaId: "ADB03E6A-6453-465B-9CC2-5E3EB68046AF", versionEndExcluding: "41.0.0", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "tj-actions/changed-files is a Github action to retrieve all files and directories. Prior to 41.0.0, the `tj-actions/changed-files` workflow allows for command injection in changed filenames, allowing an attacker to execute arbitrary code and potentially leak secrets. This issue may lead to arbitrary command execution in the GitHub Runner. This vulnerability has been addressed in version 41.0.0. Users are advised to upgrade.", }, { lang: "es", value: "tj-actions/changed-files es una acción de Github para recuperar todos los archivos y directorios. Antes de 41.0.0, el workflow `tj-actions/changed-files` permitía la inyección de comandos en nombres de archivos modificados, lo que permitía a un atacante ejecutar código arbitrario y potencialmente filtrar secretos. Este problema puede provocar la ejecución de comandos arbitrarios en GitHub Runner. Esta vulnerabilidad se ha solucionado en la versión 41.0.0. Se recomienda a los usuarios que actualicen.", }, ], id: "CVE-2023-51664", lastModified: "2024-11-21T08:38:33.600", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.3, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N", version: "3.1", }, exploitabilityScore: 2.1, impactScore: 5.2, source: "security-advisories@github.com", type: "Secondary", }, { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 5.9, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2023-12-27T17:15:08.340", references: [ { source: "security-advisories@github.com", tags: [ "Patch", ], url: "https://github.com/tj-actions/changed-files/commit/0102c07446a3cad972f4afcbd0ee4dbc4b6d2d1b", }, { source: "security-advisories@github.com", tags: [ "Patch", ], url: "https://github.com/tj-actions/changed-files/commit/716b1e13042866565e00e85fd4ec490e186c4a2f", }, { source: "security-advisories@github.com", tags: [ "Patch", ], url: "https://github.com/tj-actions/changed-files/commit/ff2f6e6b91913a7be42be1b5917330fe442f2ede", }, { source: "security-advisories@github.com", tags: [ "Exploit", "Vendor Advisory", ], url: "https://github.com/tj-actions/changed-files/security/advisories/GHSA-mcph-m25j-8j63", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", ], url: "https://github.com/tj-actions/changed-files/commit/0102c07446a3cad972f4afcbd0ee4dbc4b6d2d1b", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", ], url: "https://github.com/tj-actions/changed-files/commit/716b1e13042866565e00e85fd4ec490e186c4a2f", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", ], url: "https://github.com/tj-actions/changed-files/commit/ff2f6e6b91913a7be42be1b5917330fe442f2ede", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Vendor Advisory", ], url: "https://github.com/tj-actions/changed-files/security/advisories/GHSA-mcph-m25j-8j63", }, ], sourceIdentifier: "security-advisories@github.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-74", }, { lang: "en", value: "CWE-77", }, ], source: "security-advisories@github.com", type: "Secondary", }, { description: [ { lang: "en", value: "CWE-77", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }