CVSS: 7.1EPSS: 0%CPEs: 2EXPL: 0CVE-2025-24362 – CodeQL GitHub Action failed workflow writes GitHub PAT to debug artifacts
https://notcve.org/view.php?id=CVE-2025-24362
24 Jan 2025 — In some circumstances, debug artifacts uploaded by the CodeQL Action after a failed code scanning workflow run may contain the environment variables from the workflow run, including any secrets that were exposed as environment variables to the workflow. Users with read access to the repository would be able to access this artifact, containing any secrets from the environment. This vulnerability is patched in CodeQL Action version 3.28.3 or later, or CodeQL CLI version 2.20.3 or later. For some affected work... • https://docs.github.com/en/code-security/code-scanning/troubleshooting-code-scanning/logs-not-detailed-enough • CWE-532: Insertion of Sensitive Information into Log File •
CVSS: 4.4EPSS: 0%CPEs: 1EXPL: 1CVE-2021-32638 – CodeQL runner: Command-line options that make GitHub access tokens visible to other processes are now deprecated
https://notcve.org/view.php?id=CVE-2021-32638
25 May 2021 — Github's CodeQL action is provided to run CodeQL-based code scanning on non-GitHub CI/CD systems and requires a GitHub access token to connect to a GitHub repository. The runner and its documentation previously suggested passing the GitHub token as a command-line parameter to the process instead of reading it from a file, standard input, or an environment variable. This approach made the token visible to other processes on the same machine, for example in the output of the `ps` command. If the CI system pub... • https://github.com/github/codeql-action/commit/58defc0652e935f6f2ffc70a82828b98d75476fb • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-214: Invocation of Process Using Visible Sensitive Information •