CVE-2020-26294

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2020-26294

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-26294.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2020-26294

Aliases

Published

2021-01-04T19:15:15Z

Modified

2024-08-21T15:58:50.803231Z

Severity

5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator

Summary

[none]

Details

Vela is a Pipeline Automation (CI/CD) framework built on Linux container technology written in Golang. In Vela compiler before version 0.6.1 there is a vulnerability which allows exposure of server configuration. It impacts all users of Vela. An attacker can use Sprig's env function to retrieve configuration information, see referenced GHSA for an example. This has been fixed in version 0.6.1. In addition to upgrading, it is recommended to rotate all secrets.

References

Affected packages

Git / github.com/go-vela/compiler

Affected ranges

Type: GIT
Repo: https://github.com/go-vela/compiler
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

f1ace5f8a05c95c4d02264556e38a959ee2d9bda

Affected versions

v0.*

v0.1.0

v0.1.1

v0.1.2

v0.1.3

v0.1.4

v0.1.5

v0.1.6

v0.2.0

v0.2.0-rc1

v0.2.0-rc2

v0.2.0-rc3

v0.3.0

v0.3.0-rc1

v0.3.0-rc2

v0.3.0-rc3

v0.4.0

v0.4.0-rc1

v0.4.0-rc2

v0.4.0-rc3

v0.4.1

v0.4.2

v0.4.3

v0.5.0

v0.5.0-rc1

v0.5.1

v0.6.0

v0.6.0-rc1

v0.6.0-rc2