2 results (0.011 seconds)

CVSS: 7.7EPSS: 0%CPEs: 1EXPL: 0

Vela is a Pipeline Automation (CI/CD) framework built on Linux container technology written in Golang. Vela pipelines can use variable substitution combined with insensitive fields like `parameters`, `image` and `entrypoint` to inject secrets into a plugin/image and — by using common substitution string manipulation — can bypass log masking and expose secrets without the use of the commands block. This unexpected behavior primarily impacts secrets restricted by the "no commands" option. This can lead to unintended use of the secret value, and increased risk of exposing the secret during image execution bypassing log masking. **To exploit this** the pipeline author must be supplying the secrets to a plugin that is designed in such a way that will print those parameters in logs. • https://github.com/go-vela/worker/commit/e1572743b008e4fbce31ebb1dcd23bf6a1a30297 https://github.com/go-vela/worker/security/advisories/GHSA-pwx5-6wxg-px5h • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-532: Insertion of Sensitive Information into Log File •

CVSS: 9.9EPSS: 0%CPEs: 3EXPL: 0

Vela is a Pipeline Automation (CI/CD) framework built on Linux container technology written in Golang. In Vela Server and Vela Worker prior to version 0.16.0 and Vela UI prior to version 0.17.0, some default configurations for Vela allow exploitation and container breakouts. Users should upgrade to Server 0.16.0, Worker 0.16.0, and UI 0.17.0 to fix the issue. After upgrading, Vela administrators will need to explicitly change the default settings to configure Vela as desired. Some of the fixes will interrupt existing workflows and will require Vela administrators to modify default settings. • https://docs.docker.com/engine/security/#docker-daemon-attack-surface https://github.com/go-vela/server/commit/05558ee99d70f7d6f83bed7c8f78ac0b35fa26f4 https://github.com/go-vela/server/releases/tag/v0.16.0 https://github.com/go-vela/server/security/advisories/GHSA-5m7g-pj8w-7593 https://github.com/go-vela/ui/releases/tag/v0.17.0 https://github.com/go-vela/ui/security/advisories/GHSA-xf39-98m2-889v https://github.com/go-vela/worker/releases/tag/v0.16.0 https://github.com& • CWE-269: Improper Privilege Management •