CVE-2020-15272

Name of the Vulnerable Software and Affected Versions git-tag-annotation-action versions prior to 1.0.1

Description The issue allows an attacker to execute arbitrary shell commands if they can control the value of the tag input or alter the GITHUB REF environment variable. However, the GITHUB REF environment variable is protected by the GitHub Actions environment, making attacks from this vector unlikely. The estimated number of potentially affected devices is not provided. There is no information about real-world incidents where this issue was exploited.

Recommendations For versions prior to 1.0.1, update to version 1.0.1 or later to resolve the issue. If updating to version 1.0.1 or later is not possible, and the tag input must be used, ensure that its value is not controlled by another Action.