Описание
Exposure of server configuration in github.com/go-vela/server
Impact
What kind of vulnerability is it? Who is impacted?
- The ability to expose configuration set in the Vela server via pipeline template functionality.
- It impacts all users of Vela.
Sample of template exposing server configuration using Sprig's env function:
Patches
Has the problem been patched? What versions should users upgrade to?
- Upgrade to
0.6.1
Additional Recommended Action(s)
- Rotate all secrets
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
- No
For more information
If you have any questions or comments about this advisory:
- Email us at vela@target.com
Ссылки
- https://github.com/go-vela/compiler/security/advisories/GHSA-gv2h-gf8m-r68j
- https://nvd.nist.gov/vuln/detail/CVE-2020-26294
- https://github.com/go-vela/compiler/commit/f1ace5f8a05c95c4d02264556e38a959ee2d9bda
- https://github.com/helm/helm/blob/6297c021cbda1483d8c08a8ec6f4a99e38be7302/pkg/engine/funcs.go#L46-L47
- https://pkg.go.dev/github.com/go-vela/compiler/compiler
Пакеты
github.com/go-vela/compiler
< 0.6.1
0.6.1
Связанные уязвимости
Vela is a Pipeline Automation (CI/CD) framework built on Linux container technology written in Golang. In Vela compiler before version 0.6.1 there is a vulnerability which allows exposure of server configuration. It impacts all users of Vela. An attacker can use Sprig's `env` function to retrieve configuration information, see referenced GHSA for an example. This has been fixed in version 0.6.1. In addition to upgrading, it is recommended to rotate all secrets.