Vulnerabilites related to go-vela - worker
Vulnerability from fkie_nvd
Published
2022-11-10 18:15
Modified
2024-11-21 07:18
Severity ?
9.6 (Critical) - CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
9.9 (Critical) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
9.9 (Critical) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Summary
Vela is a Pipeline Automation (CI/CD) framework built on Linux container technology written in Golang. In Vela Server and Vela Worker prior to version 0.16.0 and Vela UI prior to version 0.17.0, some default configurations for Vela allow exploitation and container breakouts. Users should upgrade to Server 0.16.0, Worker 0.16.0, and UI 0.17.0 to fix the issue. After upgrading, Vela administrators will need to explicitly change the default settings to configure Vela as desired. Some of the fixes will interrupt existing workflows and will require Vela administrators to modify default settings. However, not applying the patch (or workarounds) will continue existing risk exposure. Some workarounds are available. Vela administrators can adjust the worker's `VELA_RUNTIME_PRIVILEGED_IMAGES` setting to be explicitly empty, leverage the `VELA_REPO_ALLOWLIST` setting on the server component to restrict access to a list of repositories that are allowed to be enabled, and/or audit enabled repositories and disable pull_requests if they are not needed.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:go-vela:server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "92189644-4057-41AB-BF5A-BFA398413096",
"versionEndExcluding": "0.16.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:go-vela:ui:*:*:*:*:*:*:*:*",
"matchCriteriaId": "EF033D57-F835-4EB7-9AA7-6D7B2F1E64BA",
"versionEndExcluding": "0.17.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:go-vela:worker:*:*:*:*:*:*:*:*",
"matchCriteriaId": "16935176-86CA-42A1-826F-8881FC07AB8A",
"versionEndExcluding": "0.16.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Vela is a Pipeline Automation (CI/CD) framework built on Linux container technology written in Golang. In Vela Server and Vela Worker prior to version 0.16.0 and Vela UI prior to version 0.17.0, some default configurations for Vela allow exploitation and container breakouts. Users should upgrade to Server 0.16.0, Worker 0.16.0, and UI 0.17.0 to fix the issue. After upgrading, Vela administrators will need to explicitly change the default settings to configure Vela as desired. Some of the fixes will interrupt existing workflows and will require Vela administrators to modify default settings. However, not applying the patch (or workarounds) will continue existing risk exposure. Some workarounds are available. Vela administrators can adjust the worker\u0027s `VELA_RUNTIME_PRIVILEGED_IMAGES` setting to be explicitly empty, leverage the `VELA_REPO_ALLOWLIST` setting on the server component to restrict access to a list of repositories that are allowed to be enabled, and/or audit enabled repositories and disable pull_requests if they are not needed."
},
{
"lang": "es",
"value": "Vela es un framework de Pipeline Automation (CI/CD) construido sobre tecnolog\u00eda de contenedores de Linux escrita en Golang. En Vela Server y Vela Worker anteriores a la versi\u00f3n 0.16.0 y Vela UI anteriores a la versi\u00f3n 0.17.0, algunas configuraciones predeterminadas para Vela permiten la explotaci\u00f3n y la ruptura de contenedores. Los usuarios deben actualizar a Server 0.16.0, Worker 0.16.0 y UI 0.17.0 para solucionar el problema. Despu\u00e9s de la actualizaci\u00f3n, los administradores de Vela deber\u00e1n cambiar expl\u00edcitamente la configuraci\u00f3n predeterminada para configurar Vela como deseen. Algunas de las correcciones interrumpir\u00e1n los flujos de trabajo existentes y requerir\u00e1n que los administradores de Vela modifiquen la configuraci\u00f3n predeterminada. Sin embargo, no aplicar el parche (o workarounds) continuar\u00e1 la exposici\u00f3n al riesgo existente. Algunas soluciones est\u00e1n disponibles. Los administradores de Vela pueden ajustar la configuraci\u00f3n `VELA_RUNTIME_PRIVILEGED_IMAGES` del trabajador para que est\u00e9 expl\u00edcitamente vac\u00eda, aprovechar la configuraci\u00f3n `VELA_REPO_ALLOWLIST` en el componente del servidor para restringir el acceso a una lista de repositorios que pueden habilitarse y/o auditar los repositorios habilitados y deshabilitar pull_requests si no son necesarios."
}
],
"id": "CVE-2022-39395",
"lastModified": "2024-11-21T07:18:12.223",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.6,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 6.0,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.1,
"impactScore": 6.0,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-11-10T18:15:10.690",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Technical Description",
"Third Party Advisory"
],
"url": "https://docs.docker.com/engine/security/#docker-daemon-attack-surface"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/go-vela/server/commit/05558ee99d70f7d6f83bed7c8f78ac0b35fa26f4"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/go-vela/server/releases/tag/v0.16.0"
},
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/go-vela/server/security/advisories/GHSA-5m7g-pj8w-7593"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/go-vela/ui/releases/tag/v0.17.0"
},
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/go-vela/ui/security/advisories/GHSA-xf39-98m2-889v"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/go-vela/worker/releases/tag/v0.16.0"
},
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/go-vela/worker/security/advisories/GHSA-2w78-ffv6-p46w"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://go-vela.github.io/docs/installation/server/reference/#vela_repo_allowlist"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://go-vela.github.io/docs/installation/worker/reference/#vela_runtime_privileged_images"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Technical Description",
"Third Party Advisory"
],
"url": "https://docs.docker.com/engine/security/#docker-daemon-attack-surface"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/go-vela/server/commit/05558ee99d70f7d6f83bed7c8f78ac0b35fa26f4"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/go-vela/server/releases/tag/v0.16.0"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/go-vela/server/security/advisories/GHSA-5m7g-pj8w-7593"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/go-vela/ui/releases/tag/v0.17.0"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/go-vela/ui/security/advisories/GHSA-xf39-98m2-889v"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/go-vela/worker/releases/tag/v0.16.0"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/go-vela/worker/security/advisories/GHSA-2w78-ffv6-p46w"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://go-vela.github.io/docs/installation/server/reference/#vela_repo_allowlist"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://go-vela.github.io/docs/installation/worker/reference/#vela_runtime_privileged_images"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-269"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-269"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-03-12 21:15
Modified
2025-01-22 15:05
Severity ?
7.7 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Summary
Vela is a Pipeline Automation (CI/CD) framework built on Linux container technology written in Golang. Vela pipelines can use variable substitution combined with insensitive fields like `parameters`, `image` and `entrypoint` to inject secrets into a plugin/image and — by using common substitution string manipulation — can bypass log masking and expose secrets without the use of the commands block. This unexpected behavior primarily impacts secrets restricted by the "no commands" option. This can lead to unintended use of the secret value, and increased risk of exposing the secret during image execution bypassing log masking. **To exploit this** the pipeline author must be supplying the secrets to a plugin that is designed in such a way that will print those parameters in logs. Plugin parameters are not designed for sensitive values and are often intentionally printed throughout execution for informational/debugging purposes. Parameters should therefore be treated as insensitive. While Vela provides secrets masking, secrets exposure is not entirely solved by the masking process. A docker image (plugin) can easily expose secrets if they are not handled properly, or altered in some way. There is a responsibility on the end-user to understand how values injected into a plugin are used. This is a risk that exists for many CICD systems (like GitHub Actions) that handle sensitive runtime variables. Rather, the greater risk is that users who restrict a secret to the "no commands" option and use image restriction can still have their secret value exposed via substitution tinkering, which turns the image and command restrictions into a false sense of security. This issue has been addressed in version 0.23.2. Users are advised to upgrade. Users unable to upgrade should not provide sensitive values to plugins that can potentially expose them, especially in `parameters` that are not intended to be used for sensitive values, ensure plugins (especially those that utilize shared secrets) follow best practices to avoid logging parameters that are expected to be sensitive, minimize secrets with `pull_request` events enabled, as this allows users to change pipeline configurations and pull in secrets to steps not typically part of the CI process, make use of the build approval setting, restricting builds from untrusted users, and limit use of shared secrets, as they are less restrictive to access by nature.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:go-vela:worker:*:*:*:*:*:*:*:*",
"matchCriteriaId": "00862902-9C2F-41A0-B71B-831E777AB83C",
"versionEndExcluding": "0.23.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Vela is a Pipeline Automation (CI/CD) framework built on Linux container technology written in Golang. Vela pipelines can use variable substitution combined with insensitive fields like `parameters`, `image` and `entrypoint` to inject secrets into a plugin/image and \u2014 by using common substitution string manipulation \u2014 can bypass log masking and expose secrets without the use of the commands block. This unexpected behavior primarily impacts secrets restricted by the \"no commands\" option. This can lead to unintended use of the secret value, and increased risk of exposing the secret during image execution bypassing log masking. **To exploit this** the pipeline author must be supplying the secrets to a plugin that is designed in such a way that will print those parameters in logs. Plugin parameters are not designed for sensitive values and are often intentionally printed throughout execution for informational/debugging purposes. Parameters should therefore be treated as insensitive. While Vela provides secrets masking, secrets exposure is not entirely solved by the masking process. A docker image (plugin) can easily expose secrets if they are not handled properly, or altered in some way. There is a responsibility on the end-user to understand how values injected into a plugin are used. This is a risk that exists for many CICD systems (like GitHub Actions) that handle sensitive runtime variables. Rather, the greater risk is that users who restrict a secret to the \"no commands\" option and use image restriction can still have their secret value exposed via substitution tinkering, which turns the image and command restrictions into a false sense of security. This issue has been addressed in version 0.23.2. Users are advised to upgrade. Users unable to upgrade should not provide sensitive values to plugins that can potentially expose them, especially in `parameters` that are not intended to be used for sensitive values, ensure plugins (especially those that utilize shared secrets) follow best practices to avoid logging parameters that are expected to be sensitive, minimize secrets with `pull_request` events enabled, as this allows users to change pipeline configurations and pull in secrets to steps not typically part of the CI process, make use of the build approval setting, restricting builds from untrusted users, and limit use of shared secrets, as they are less restrictive to access by nature."
},
{
"lang": "es",
"value": "Vela es un marco de automatizaci\u00f3n de tuber\u00edas (CI/CD) construido sobre tecnolog\u00eda de contenedores de Linux escrita en Golang. Los pipelines de Vela pueden usar sustituci\u00f3n de variables combinada con campos insensibles como \"par\u00e1metros\", \"imagen\" y \"punto de entrada\" para inyectar secretos en un complemento/imagen y, mediante el uso de manipulaci\u00f3n com\u00fan de cadenas de sustituci\u00f3n, pueden evitar el enmascaramiento de registros y exponer secretos sin el uso de el bloque de comandos. Este comportamiento inesperado afecta principalmente a los secretos restringidos por la opci\u00f3n \"sin comandos\". Esto puede provocar un uso no intencionado del valor secreto y un mayor riesgo de exponer el secreto durante la ejecuci\u00f3n de la imagen sin pasar por el enmascaramiento del registro. **Para explotar esto**, el autor de la canalizaci\u00f3n debe proporcionar los secretos a un complemento manipulado de tal manera que imprima esos par\u00e1metros en los registros. Los par\u00e1metros del complemento no est\u00e1n manipulados para valores confidenciales y, a menudo, se imprimen intencionalmente durante la ejecuci\u00f3n con fines informativos/depuraci\u00f3n. Por lo tanto, los par\u00e1metros deben tratarse como insensibles. Si bien Vela proporciona enmascaramiento de secretos, la exposici\u00f3n de secretos no se resuelve por completo mediante el proceso de enmascaramiento. Una imagen acoplable (complemento) puede exponer secretos f\u00e1cilmente si no se manejan adecuadamente o se modifican de alguna manera. El usuario final tiene la responsabilidad de comprender c\u00f3mo se utilizan los valores inyectados en un complemento. Este es un riesgo que existe para muchos sistemas CICD (como GitHub Actions) que manejan variables confidenciales de tiempo de ejecuci\u00f3n. M\u00e1s bien, el mayor riesgo es que los usuarios que restringen un secreto a la opci\u00f3n \"sin comandos\" y usan restricci\u00f3n de im\u00e1genes a\u00fan puedan exponer su valor secreto a trav\u00e9s de modificaciones de sustituci\u00f3n, lo que convierte las restricciones de im\u00e1genes y comandos en una falsa sensaci\u00f3n de seguridad. Este problema se solucion\u00f3 en la versi\u00f3n 0.23.2. Se recomienda a los usuarios que actualicen. Los usuarios que no puedan actualizar no deben proporcionar valores confidenciales a los complementos que potencialmente puedan exponerlos, especialmente en los \"par\u00e1metros\" que no est\u00e1n destinados a ser utilizados para valores confidenciales, aseg\u00farese de que los complementos (especialmente aquellos que utilizan secretos compartidos) sigan las mejores pr\u00e1cticas para evitar el registro de par\u00e1metros. que se espera que sean confidenciales, minimice los secretos con los eventos `pull_request` habilitados, ya que esto permite a los usuarios cambiar las configuraciones de canalizaci\u00f3n e incorporar secretos a pasos que normalmente no forman parte del proceso de CI, utilice la configuraci\u00f3n de aprobaci\u00f3n de compilaci\u00f3n y restrinja las compilaciones que no sean de confianza, usuarios y limitar el uso de secretos compartidos, ya que su acceso es menos restrictivo por naturaleza."
}
],
"id": "CVE-2024-28236",
"lastModified": "2025-01-22T15:05:22.287",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.1,
"impactScore": 4.0,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-03-12T21:15:59.027",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/go-vela/worker/commit/e1572743b008e4fbce31ebb1dcd23bf6a1a30297"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/go-vela/worker/security/advisories/GHSA-pwx5-6wxg-px5h"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/go-vela/worker/commit/e1572743b008e4fbce31ebb1dcd23bf6a1a30297"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/go-vela/worker/security/advisories/GHSA-pwx5-6wxg-px5h"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
},
{
"lang": "en",
"value": "CWE-532"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-532"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
CVE-2024-28236 (GCVE-0-2024-28236)
Vulnerability from cvelistv5
Published
2024-03-12 20:41
Modified
2024-08-02 00:48
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
Vela is a Pipeline Automation (CI/CD) framework built on Linux container technology written in Golang. Vela pipelines can use variable substitution combined with insensitive fields like `parameters`, `image` and `entrypoint` to inject secrets into a plugin/image and — by using common substitution string manipulation — can bypass log masking and expose secrets without the use of the commands block. This unexpected behavior primarily impacts secrets restricted by the "no commands" option. This can lead to unintended use of the secret value, and increased risk of exposing the secret during image execution bypassing log masking. **To exploit this** the pipeline author must be supplying the secrets to a plugin that is designed in such a way that will print those parameters in logs. Plugin parameters are not designed for sensitive values and are often intentionally printed throughout execution for informational/debugging purposes. Parameters should therefore be treated as insensitive. While Vela provides secrets masking, secrets exposure is not entirely solved by the masking process. A docker image (plugin) can easily expose secrets if they are not handled properly, or altered in some way. There is a responsibility on the end-user to understand how values injected into a plugin are used. This is a risk that exists for many CICD systems (like GitHub Actions) that handle sensitive runtime variables. Rather, the greater risk is that users who restrict a secret to the "no commands" option and use image restriction can still have their secret value exposed via substitution tinkering, which turns the image and command restrictions into a false sense of security. This issue has been addressed in version 0.23.2. Users are advised to upgrade. Users unable to upgrade should not provide sensitive values to plugins that can potentially expose them, especially in `parameters` that are not intended to be used for sensitive values, ensure plugins (especially those that utilize shared secrets) follow best practices to avoid logging parameters that are expected to be sensitive, minimize secrets with `pull_request` events enabled, as this allows users to change pipeline configurations and pull in secrets to steps not typically part of the CI process, make use of the build approval setting, restricting builds from untrusted users, and limit use of shared secrets, as they are less restrictive to access by nature.
References
| ► | URL | Tags |
|---|---|---|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-28236",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-13T14:30:51.704354Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T18:03:18.752Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T00:48:49.488Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/go-vela/worker/security/advisories/GHSA-pwx5-6wxg-px5h",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/go-vela/worker/security/advisories/GHSA-pwx5-6wxg-px5h"
},
{
"name": "https://github.com/go-vela/worker/commit/e1572743b008e4fbce31ebb1dcd23bf6a1a30297",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/go-vela/worker/commit/e1572743b008e4fbce31ebb1dcd23bf6a1a30297"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "worker",
"vendor": "go-vela",
"versions": [
{
"status": "affected",
"version": "\u003c 0.23.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Vela is a Pipeline Automation (CI/CD) framework built on Linux container technology written in Golang. Vela pipelines can use variable substitution combined with insensitive fields like `parameters`, `image` and `entrypoint` to inject secrets into a plugin/image and \u2014 by using common substitution string manipulation \u2014 can bypass log masking and expose secrets without the use of the commands block. This unexpected behavior primarily impacts secrets restricted by the \"no commands\" option. This can lead to unintended use of the secret value, and increased risk of exposing the secret during image execution bypassing log masking. **To exploit this** the pipeline author must be supplying the secrets to a plugin that is designed in such a way that will print those parameters in logs. Plugin parameters are not designed for sensitive values and are often intentionally printed throughout execution for informational/debugging purposes. Parameters should therefore be treated as insensitive. While Vela provides secrets masking, secrets exposure is not entirely solved by the masking process. A docker image (plugin) can easily expose secrets if they are not handled properly, or altered in some way. There is a responsibility on the end-user to understand how values injected into a plugin are used. This is a risk that exists for many CICD systems (like GitHub Actions) that handle sensitive runtime variables. Rather, the greater risk is that users who restrict a secret to the \"no commands\" option and use image restriction can still have their secret value exposed via substitution tinkering, which turns the image and command restrictions into a false sense of security. This issue has been addressed in version 0.23.2. Users are advised to upgrade. Users unable to upgrade should not provide sensitive values to plugins that can potentially expose them, especially in `parameters` that are not intended to be used for sensitive values, ensure plugins (especially those that utilize shared secrets) follow best practices to avoid logging parameters that are expected to be sensitive, minimize secrets with `pull_request` events enabled, as this allows users to change pipeline configurations and pull in secrets to steps not typically part of the CI process, make use of the build approval setting, restricting builds from untrusted users, and limit use of shared secrets, as they are less restrictive to access by nature."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-532",
"description": "CWE-532: Insertion of Sensitive Information into Log File",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-03-12T20:41:09.271Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/go-vela/worker/security/advisories/GHSA-pwx5-6wxg-px5h",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/go-vela/worker/security/advisories/GHSA-pwx5-6wxg-px5h"
},
{
"name": "https://github.com/go-vela/worker/commit/e1572743b008e4fbce31ebb1dcd23bf6a1a30297",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/go-vela/worker/commit/e1572743b008e4fbce31ebb1dcd23bf6a1a30297"
}
],
"source": {
"advisory": "GHSA-pwx5-6wxg-px5h",
"discovery": "UNKNOWN"
},
"title": "Insecure Variable Substitution in Vela"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-28236",
"datePublished": "2024-03-12T20:41:09.271Z",
"dateReserved": "2024-03-07T14:33:30.035Z",
"dateUpdated": "2024-08-02T00:48:49.488Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-39395 (GCVE-0-2022-39395)
Vulnerability from cvelistv5
Published
2022-11-10 00:00
Modified
2025-04-23 16:38
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-269 - Improper Privilege Management
Summary
Vela is a Pipeline Automation (CI/CD) framework built on Linux container technology written in Golang. In Vela Server and Vela Worker prior to version 0.16.0 and Vela UI prior to version 0.17.0, some default configurations for Vela allow exploitation and container breakouts. Users should upgrade to Server 0.16.0, Worker 0.16.0, and UI 0.17.0 to fix the issue. After upgrading, Vela administrators will need to explicitly change the default settings to configure Vela as desired. Some of the fixes will interrupt existing workflows and will require Vela administrators to modify default settings. However, not applying the patch (or workarounds) will continue existing risk exposure. Some workarounds are available. Vela administrators can adjust the worker's `VELA_RUNTIME_PRIVILEGED_IMAGES` setting to be explicitly empty, leverage the `VELA_REPO_ALLOWLIST` setting on the server component to restrict access to a list of repositories that are allowed to be enabled, and/or audit enabled repositories and disable pull_requests if they are not needed.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T12:07:41.884Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/go-vela/server/security/advisories/GHSA-5m7g-pj8w-7593"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/go-vela/ui/security/advisories/GHSA-xf39-98m2-889v"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/go-vela/worker/security/advisories/GHSA-2w78-ffv6-p46w"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/go-vela/server/commit/05558ee99d70f7d6f83bed7c8f78ac0b35fa26f4"
},
{
"tags": [
"x_transferred"
],
"url": "https://docs.docker.com/engine/security/#docker-daemon-attack-surface"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/go-vela/server/releases/tag/v0.16.0"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/go-vela/ui/releases/tag/v0.17.0"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/go-vela/worker/releases/tag/v0.16.0"
},
{
"tags": [
"x_transferred"
],
"url": "https://go-vela.github.io/docs/installation/server/reference/#vela_repo_allowlist"
},
{
"tags": [
"x_transferred"
],
"url": "https://go-vela.github.io/docs/installation/worker/reference/#vela_runtime_privileged_images"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-39395",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-23T15:46:53.128029Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-23T16:38:58.851Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "server",
"vendor": "go-vela",
"versions": [
{
"status": "affected",
"version": "\u003c 0.16.0"
},
{
"status": "affected",
"version": "\u003c 0.17.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Vela is a Pipeline Automation (CI/CD) framework built on Linux container technology written in Golang. In Vela Server and Vela Worker prior to version 0.16.0 and Vela UI prior to version 0.17.0, some default configurations for Vela allow exploitation and container breakouts. Users should upgrade to Server 0.16.0, Worker 0.16.0, and UI 0.17.0 to fix the issue. After upgrading, Vela administrators will need to explicitly change the default settings to configure Vela as desired. Some of the fixes will interrupt existing workflows and will require Vela administrators to modify default settings. However, not applying the patch (or workarounds) will continue existing risk exposure. Some workarounds are available. Vela administrators can adjust the worker\u0027s `VELA_RUNTIME_PRIVILEGED_IMAGES` setting to be explicitly empty, leverage the `VELA_REPO_ALLOWLIST` setting on the server component to restrict access to a list of repositories that are allowed to be enabled, and/or audit enabled repositories and disable pull_requests if they are not needed."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.6,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269: Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-11-10T00:00:00.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"url": "https://github.com/go-vela/server/security/advisories/GHSA-5m7g-pj8w-7593"
},
{
"url": "https://github.com/go-vela/ui/security/advisories/GHSA-xf39-98m2-889v"
},
{
"url": "https://github.com/go-vela/worker/security/advisories/GHSA-2w78-ffv6-p46w"
},
{
"url": "https://github.com/go-vela/server/commit/05558ee99d70f7d6f83bed7c8f78ac0b35fa26f4"
},
{
"url": "https://docs.docker.com/engine/security/#docker-daemon-attack-surface"
},
{
"url": "https://github.com/go-vela/server/releases/tag/v0.16.0"
},
{
"url": "https://github.com/go-vela/ui/releases/tag/v0.17.0"
},
{
"url": "https://github.com/go-vela/worker/releases/tag/v0.16.0"
},
{
"url": "https://go-vela.github.io/docs/installation/server/reference/#vela_repo_allowlist"
},
{
"url": "https://go-vela.github.io/docs/installation/worker/reference/#vela_runtime_privileged_images"
}
],
"source": {
"advisory": "GHSA-5m7g-pj8w-7593",
"discovery": "UNKNOWN"
},
"title": "Vela Insecure Defaults"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-39395",
"datePublished": "2022-11-10T00:00:00.000Z",
"dateReserved": "2022-09-02T00:00:00.000Z",
"dateUpdated": "2025-04-23T16:38:58.851Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}