Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWd2MmgtZ2Y4bS1yNjhq
Exposure of server configuration in github.com/go-vela/server
Impact
What kind of vulnerability is it? Who is impacted?
- The ability to expose configuration set in the Vela server via pipeline template functionality.
- It impacts all users of Vela.
Sample of template exposing server configuration using Sprig's env
function:
metadata:
template: true
steps:
- name: sample
image: alpine:latest
commands:
# OAuth client ID for Vela <-> GitHub communication
- echo {{ env "VELA_SOURCE_CLIENT" }}
# secret used for server <-> worker communication
- echo {{ env "VELA_SECRET" }}
Patches
Has the problem been patched? What versions should users upgrade to?
- Upgrade to
0.6.1
Additional Recommended Action(s)
- Rotate all secrets
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
- No
For more information
If you have any questions or comments about this advisory:
- Email us at [email protected]
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWd2MmgtZ2Y4bS1yNjhq
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: about 2 years ago
Updated: over 1 year ago
CVSS Score: 7.4
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N
Identifiers: GHSA-gv2h-gf8m-r68j, CVE-2020-26294
References:
- https://github.com/go-vela/compiler/security/advisories/GHSA-gv2h-gf8m-r68j
- https://nvd.nist.gov/vuln/detail/CVE-2020-26294
- https://github.com/go-vela/compiler/commit/f1ace5f8a05c95c4d02264556e38a959ee2d9bda
- https://github.com/helm/helm/blob/6297c021cbda1483d8c08a8ec6f4a99e38be7302/pkg/engine/funcs.go#L46-L47
- https://pkg.go.dev/github.com/go-vela/compiler/compiler
- https://github.com/advisories/GHSA-gv2h-gf8m-r68j
Blast Radius: 3.5
Affected Packages
go:github.com/go-vela/compiler
Dependent packages: 14Dependent repositories: 3
Downloads:
Affected Version Ranges: < 0.6.1
Fixed in: 0.6.1
All affected versions: 0.1.0, 0.1.1, 0.1.2, 0.1.3, 0.1.4, 0.1.5, 0.1.6, 0.2.0, 0.3.0, 0.4.0, 0.4.1, 0.4.2, 0.4.3, 0.5.0, 0.5.1, 0.6.0
All unaffected versions: 0.6.1, 0.7.0, 0.7.2, 0.7.3, 0.7.4, 0.8.0, 0.8.1, 0.9.0, 0.10.0