CVE-2022-39395 – Vela Insecure Defaults

https://notcve.org/view.php?id=CVE-2022-39395

Vela is a Pipeline Automation (CI/CD) framework built on Linux container technology written in Golang. In Vela Server and Vela Worker prior to version 0.16.0 and Vela UI prior to version 0.17.0, some default configurations for Vela allow exploitation and container breakouts. Users should upgrade to Server 0.16.0, Worker 0.16.0, and UI 0.17.0 to fix the issue. After upgrading, Vela administrators will need to explicitly change the default settings to configure Vela as desired. Some of the fixes will interrupt existing workflows and will require Vela administrators to modify default settings. • https://docs.docker.com/engine/security/#docker-daemon-attack-surface https://github.com/go-vela/server/commit/05558ee99d70f7d6f83bed7c8f78ac0b35fa26f4 https://github.com/go-vela/server/releases/tag/v0.16.0 https://github.com/go-vela/server/security/advisories/GHSA-5m7g-pj8w-7593 https://github.com/go-vela/ui/releases/tag/v0.17.0 https://github.com/go-vela/ui/security/advisories/GHSA-xf39-98m2-889v https://github.com/go-vela/worker/releases/tag/v0.16.0 https://github.com& • CWE-269: Improper Privilege Management •