CVE-2020-26294

Exposure of server configuration

CVSS 7.4 HIGHEPSS 1.8%CWE-78

Vexday Risk Score

21Bajo

Decisión SSVC (CISA)

Track

Sin señal de explotación → monitorear

CVSS 7.4EPSS 1.8%KEV nãoPoC —Nuclei —Metasploit —Patch —

Ciclo de vida

04 ene 2021Publicada en NVD

Recomendación: Monitorear — sin señal de explotación por ahora.

Vela is a Pipeline Automation (CI/CD) framework built on Linux container technology written in Golang. In Vela compiler before version 0.6.1 there is a vulnerability which allows exposure of server configuration. It impacts all users of Vela. An attacker can use Sprig's `env` function to retrieve configuration information, see referenced GHSA for an example. This has been fixed in version 0.6.1. In addition to upgrading, it is recommended to rotate all secrets.

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N

Productos afectados

go-vela · compiler

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →

Referencias

https://github.com/go-vela/compiler/commit/f1ace5f8a05c95c4d02264556e38a959ee2d9bda https://github.com/go-vela/compiler/security/advisories/GHSA-gv2h-gf8m-r68j https://pkg.go.dev/github.com/go-vela/compiler/compiler