CVE-2024-41121

Опубликовано: 19 июл. 2024

Источник: nvd

CVSS3: 8.8

EPSS Низкий

Описание

Woodpecker is a simple yet powerful CI/CD engine with great extensibility. The server allow to create any user who can trigger a pipeline run malicious workflows: 1. Those workflows can either lead to a host takeover that runs the agent executing the workflow. 2. Or allow to extract the secrets who would be normally provided to the plugins who's entrypoint are overwritten. This issue has been addressed in release version 2.7.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Ссылки

https://github.com/woodpecker-ci/woodpecker-security/issues/8
Broken Link
https://github.com/woodpecker-ci/woodpecker-security/issues/9
Broken Link
https://github.com/woodpecker-ci/woodpecker-security/pull/11
Broken Link
https://github.com/woodpecker-ci/woodpecker/issues/3924
Patch
https://github.com/woodpecker-ci/woodpecker/pull/3933
Patch
https://github.com/woodpecker-ci/woodpecker/security/advisories/GHSA-xw35-rrcp-g7xm
Third Party Advisory
https://github.com/woodpecker-ci/woodpecker-security/issues/8
Broken Link
https://github.com/woodpecker-ci/woodpecker-security/issues/9
Broken Link
https://github.com/woodpecker-ci/woodpecker-security/pull/11
Broken Link
https://github.com/woodpecker-ci/woodpecker/issues/3924
Patch
https://github.com/woodpecker-ci/woodpecker/pull/3933
Patch
https://github.com/woodpecker-ci/woodpecker/security/advisories/GHSA-xw35-rrcp-g7xm
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:woodpecker-ci:woodpecker:*:*:*:*:*:*:*:*

Версия до 2.7.0 (исключая)

EPSS

Процентиль: 70%

0.0066

Низкий

8.8 High

CVSS3

Дефекты

CWE-74

NVD-CWE-noinfo

Связанные уязвимости

GHSA-xw35-rrcp-g7xm