GHSA-gv2h-gf8m-r68j

Source

https://github.com/advisories/GHSA-gv2h-gf8m-r68j

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/02/GHSA-gv2h-gf8m-r68j/GHSA-gv2h-gf8m-r68j.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-gv2h-gf8m-r68j

Aliases

Published

2022-02-15T00:19:57Z

Modified

2024-08-21T15:58:50.803231Z

Severity

7.4 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N CVSS Calculator

Summary

Exposure of server configuration in github.com/go-vela/server

Details

Impact

What kind of vulnerability is it? Who is impacted?

The ability to expose configuration set in the Vela server via pipeline template functionality.
It impacts all users of Vela.

Sample of template exposing server configuration using Sprig's env function:

metadata:
  template: true

steps:
  - name: sample
    image: alpine:latest
    commands:
      # OAuth client ID for Vela <-> GitHub communication
      - echo {{ env "VELA_SOURCE_CLIENT" }}
      # secret used for server <-> worker communication
      - echo {{ env "VELA_SECRET" }}

Patches

Has the problem been patched? What versions should users upgrade to?

Upgrade to 0.6.1

Additional Recommended Action(s)

Rotate all secrets

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

For more information

If you have any questions or comments about this advisory:

Email us at vela@target.com

Database specific

{
    "nvd_published_at": null,
    "github_reviewed_at": "2021-05-21T17:58:10Z",
    "severity": "HIGH",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-200",
        "CWE-78"
    ]
}

References

Affected packages

Go / github.com/go-vela/compiler

Package

Name: github.com/go-vela/compiler; View open source insights on deps.dev
Purl: pkg:golang/github.com/go-vela/compiler

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.6.1