GHSA-4gcf-5m39-98mc

Suggest an improvement
Source
https://github.com/advisories/GHSA-4gcf-5m39-98mc
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/08/GHSA-4gcf-5m39-98mc/GHSA-4gcf-5m39-98mc.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-4gcf-5m39-98mc
Aliases
Published
2023-08-16T21:02:29Z
Modified
2023-11-08T04:13:17.028082Z
Severity
  • 8.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
Woodpecker does not validate webhook before changing any data
Details

Impact

An attacker can post malformed webhook data which leads to an update of the repository data that can e.g. allow the takeover of a repository. This is only critical if the CI is configured for public usage and connected to a forge witch is also in public usage.

Patches

Please use either next or the latest v1.0 e.g. v1.0.2

Workarounds

Secure the CI system by making it inaccessible to untrusted entities, for example, by placing it behind a firewall.

References

Fix: https://github.com/woodpecker-ci/woodpecker/pull/2221 Backport: https://github.com/woodpecker-ci/woodpecker/pull/2222

References

Affected packages

Go / github.com/woodpecker-ci/woodpecker

Package

Name
github.com/woodpecker-ci/woodpecker
View open source insights on deps.dev
Purl
pkg:golang/github.com/woodpecker-ci/woodpecker

Affected ranges

Type
SEMVER
Events
Introduced
1.0.0
Fixed
1.0.2