CVE-2024-28236 – Insecure Variable Substitution in Vela
https://notcve.org/view.php?id=CVE-2024-28236
Vela is a Pipeline Automation (CI/CD) framework built on Linux container technology written in Golang. Vela pipelines can use variable substitution combined with insensitive fields like `parameters`, `image` and `entrypoint` to inject secrets into a plugin/image and — by using common substitution string manipulation — can bypass log masking and expose secrets without the use of the commands block. This unexpected behavior primarily impacts secrets restricted by the "no commands" option. This can lead to unintended use of the secret value, and increased risk of exposing the secret during image execution bypassing log masking. **To exploit this** the pipeline author must be supplying the secrets to a plugin that is designed in such a way that will print those parameters in logs. • https://github.com/go-vela/worker/commit/e1572743b008e4fbce31ebb1dcd23bf6a1a30297 https://github.com/go-vela/worker/security/advisories/GHSA-pwx5-6wxg-px5h • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-532: Insertion of Sensitive Information into Log File •
CVE-2022-39395 – Vela Insecure Defaults
https://notcve.org/view.php?id=CVE-2022-39395
Vela is a Pipeline Automation (CI/CD) framework built on Linux container technology written in Golang. In Vela Server and Vela Worker prior to version 0.16.0 and Vela UI prior to version 0.17.0, some default configurations for Vela allow exploitation and container breakouts. Users should upgrade to Server 0.16.0, Worker 0.16.0, and UI 0.17.0 to fix the issue. After upgrading, Vela administrators will need to explicitly change the default settings to configure Vela as desired. Some of the fixes will interrupt existing workflows and will require Vela administrators to modify default settings. • https://docs.docker.com/engine/security/#docker-daemon-attack-surface https://github.com/go-vela/server/commit/05558ee99d70f7d6f83bed7c8f78ac0b35fa26f4 https://github.com/go-vela/server/releases/tag/v0.16.0 https://github.com/go-vela/server/security/advisories/GHSA-5m7g-pj8w-7593 https://github.com/go-vela/ui/releases/tag/v0.17.0 https://github.com/go-vela/ui/security/advisories/GHSA-xf39-98m2-889v https://github.com/go-vela/worker/releases/tag/v0.16.0 https://github.com& • CWE-269: Improper Privilege Management •
CVE-2021-21432 – Reject unauthorized access with GitHub PATs
https://notcve.org/view.php?id=CVE-2021-21432
Vela is a Pipeline Automation (CI/CD) framework built on Linux container technology written in Golang. An authentication mechanism added in version 0.7.0 enables some malicious user to obtain secrets utilizing the injected credentials within the `~/.netrc` file. Refer to the referenced GitHub Security Advisory for complete details. This is fixed in version 0.7.5. Vela es un framework de Pipeline Automation (CI/CD) construido sobre la tecnología de contenedores de Linux escrita en Golang. • https://github.com/go-vela/server/commit/cb4352918b8ecace9fe969b90404d337b0744d46 https://github.com/go-vela/server/pull/337 https://github.com/go-vela/server/releases/tag/v0.7.5 https://github.com/go-vela/server/security/advisories/GHSA-8j3f-mhq8-gmh4 https://pkg.go.dev/github.com/go-vela/server • CWE-285: Improper Authorization CWE-862: Missing Authorization •