Vela is a Pipeline Automation (CI/CD) framework built on Linux container technology written in Golang. In Vela compiler before version 0.6.1 there is a vulnerability which allows exposure of server configuration. It impacts all users of Vela. An attacker can use Sprig's `env` function to retrieve configuration information, see referenced GHSA for an example. This has been fixed in version 0.6.1. In addition to upgrading, it is recommended to rotate all secrets.
References
Link | Resource |
---|---|
https://github.com/go-vela/compiler/commit/f1ace5f8a05c95c4d02264556e38a959ee2d9bda | Patch Third Party Advisory |
https://github.com/go-vela/compiler/security/advisories/GHSA-gv2h-gf8m-r68j | Exploit Third Party Advisory |
https://pkg.go.dev/github.com/go-vela/compiler/compiler | Product Third Party Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: GitHub_M
Published: 2021-01-04T18:35:14
Updated: 2021-01-04T18:35:13
Reserved: 2020-10-01T00:00:00
Link: CVE-2020-26294
JSON object: View
NVD Information
Status : Analyzed
Published: 2021-01-04T19:15:15.110
Modified: 2021-01-14T17:01:09.177
Link: CVE-2020-26294
JSON object: View
Redhat Information
No data.
CWE