GHSA-4jhw-c53w-w5r7

Suggest an improvement
Source
https://github.com/advisories/GHSA-4jhw-c53w-w5r7
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/03/GHSA-4jhw-c53w-w5r7/GHSA-4jhw-c53w-w5r7.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-4jhw-c53w-w5r7
Aliases
Published
2025-03-21T18:31:35Z
Modified
2025-03-25T20:22:21.112728Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
  • 8.0 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U CVSS Calculator
Summary
PipeCD Vulnerable to Privilege Escalation
Details

Insecure permissions in pipecd v0.49 allow attackers to gain access to the service account's token, leading to escalation of privileges.

Database specific 
{
    "severity": "HIGH",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-276",
        "CWE-284",
        "CWE-732"
    ],
    "nvd_published_at": "2025-03-21T17:15:38Z",
    "github_reviewed_at": "2025-03-21T22:03:03Z"
}
References

Affected packages

Go / github.com/pipe-cd/pipecd

Package

Name
github.com/pipe-cd/pipecd
View open source insights on deps.dev
Purl
pkg:golang/github.com/pipe-cd/pipecd

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Last affected
0.49.0