GHSA-xw35-rrcp-g7xm

Impact

The server allow to create any user who can trigger a pipeline run malicious workflows: - Those workflows can either lead to a host takeover that runs the agent executing the workflow. - Or allow to extract the secrets who would be normally provided to the plugins who's entrypoint are overwritten.

Patches

https://github.com/woodpecker-ci/woodpecker/pull/3933

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading? Enable the "gated" repo feature and review each change upfront

References

• https://github.com/woodpecker-ci/woodpecker/pull/3933
• https://github.com/woodpecker-ci/woodpecker-security/pull/11
• https://github.com/woodpecker-ci/woodpecker-security/issues/8 (info will be published later at https://github.com/woodpecker-ci/woodpecker/issues/3924)
• https://github.com/woodpecker-ci/woodpecker-security/issues/9 (info will be published later at https://github.com/woodpecker-ci/woodpecker/issues/3924)
• https://github.com/woodpecker-ci/woodpecker/issues/3924 (info will be published later once we got adoption of the update)

Credits

• Daniel Kilimnik @DKDev (Neodyme AG)
• Felipe Custodio Romero @localo (Neodyme AG)