CVE-2020-26294
7.4
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N
Summary
Vela is a Pipeline Automation (CI/CD) framework built on Linux container technology written in Golang. In Vela compiler before version 0.6.1 there is a vulnerability which allows exposure of server configuration. It impacts all users of Vela. An attacker can use Sprig's env function to retrieve configuration information, see referenced GHSA for an example. This has been fixed in version 0.6.1. In addition to upgrading, it is recommended to rotate all secrets.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| go-vela | compiler | < 0.6.1 | affected |
Weaknesses
- CWE-78: CWE-78 OS Command Injection
ADP Enrichment
CVE Program Container
Additional References
- https://github.com/go-vela/compiler/security/advisories/GHSA-gv2h-gf8m-r68j
- https://github.com/go-vela/compiler/commit/f1ace5f8a05c95c4d02264556e38a959ee2d9bda
- https://pkg.go.dev/github.com/go-vela/compiler/compiler
References
- https://github.com/go-vela/compiler/security/advisories/GHSA-gv2h-gf8m-r68j
- https://github.com/go-vela/compiler/commit/f1ace5f8a05c95c4d02264556e38a959ee2d9bda
- https://pkg.go.dev/github.com/go-vela/compiler/compiler
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.