CVE-2020-26294

Exposure of server configuration

CVSS 7.4 HIGHEPSS 1.8%CWE-78

Vexday Risk Score

21Baixo

Decisão SSVC (CISA)

Track

Sem sinal de exploração → monitorar

CVSS 7.4EPSS 1.8%KEV nãoPoC —Nuclei —Metasploit —Patch —

Ciclo de vida

04 jan 2021Publicada no NVD

Recomendação: Monitorar — sem sinal de exploração no momento.

Vela is a Pipeline Automation (CI/CD) framework built on Linux container technology written in Golang. In Vela compiler before version 0.6.1 there is a vulnerability which allows exposure of server configuration. It impacts all users of Vela. An attacker can use Sprig's `env` function to retrieve configuration information, see referenced GHSA for an example. This has been fixed in version 0.6.1. In addition to upgrading, it is recommended to rotate all secrets.

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N

Produtos afetados

go-vela · compiler

Quer saber se a sua infraestrutura está exposta a isto?

Falar com a TrueHacking →

Referências

https://github.com/go-vela/compiler/commit/f1ace5f8a05c95c4d02264556e38a959ee2d9bda https://github.com/go-vela/compiler/security/advisories/GHSA-gv2h-gf8m-r68j https://pkg.go.dev/github.com/go-vela/compiler/compiler