CVE-2020-26294

Опубликовано: 04 янв. 2021

Источник: nvd

CVSS3: 7.4

CVSS3: 5.3

CVSS2: 5

EPSS Низкий

Описание

Vela is a Pipeline Automation (CI/CD) framework built on Linux container technology written in Golang. In Vela compiler before version 0.6.1 there is a vulnerability which allows exposure of server configuration. It impacts all users of Vela. An attacker can use Sprig's env function to retrieve configuration information, see referenced GHSA for an example. This has been fixed in version 0.6.1. In addition to upgrading, it is recommended to rotate all secrets.

Ссылки

https://github.com/go-vela/compiler/commit/f1ace5f8a05c95c4d02264556e38a959ee2d9bda
Patch
Third Party Advisory
https://github.com/go-vela/compiler/security/advisories/GHSA-gv2h-gf8m-r68j
Exploit
Third Party Advisory
https://pkg.go.dev/github.com/go-vela/compiler/compiler
Product
Third Party Advisory
https://github.com/go-vela/compiler/commit/f1ace5f8a05c95c4d02264556e38a959ee2d9bda
Patch
Third Party Advisory
https://github.com/go-vela/compiler/security/advisories/GHSA-gv2h-gf8m-r68j
Exploit
Third Party Advisory
https://pkg.go.dev/github.com/go-vela/compiler/compiler
Product
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:target:compiler:*:*:*:*:*:*:*:*

Версия до 0.6.1 (исключая)

EPSS

Процентиль: 57%

0.0035

Низкий

7.4 High

CVSS3

5.3 Medium

CVSS3

5 Medium

CVSS2

Дефекты

CWE-78

Связанные уязвимости

GHSA-gv2h-gf8m-r68j

CVSS3: 7.4

github

почти 4 года назад

Exposure of server configuration in github.com/go-vela/server

EPSS

Процентиль: 57%

0.0035

Низкий

7.4 High

CVSS3

5.3 Medium

CVSS3

5 Medium

CVSS2

Дефекты

CWE-78