CVE-2020-26294 – github.com/go-vela/compiler

Package

Manager: go
Name: github.com/go-vela/compiler
Vulnerable Version: >=0 <0.6.1

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N

EPSS: 0.0035 pctl0.56751

Details

Exposure of server configuration in github.com/go-vela/server ### Impact _What kind of vulnerability is it? Who is impacted?_ * The ability to expose configuration set in the [Vela server](https://github.com/go-vela/server) via [pipeline template functionality](https://go-vela.github.io/docs/templates/overview/). * It impacts all users of Vela. Sample of template exposing server configuration [using Sprig's `env` function](http://masterminds.github.io/sprig/os.html): ```yaml metadata: template: true steps: - name: sample image: alpine:latest commands: # OAuth client ID for Vela <-> GitHub communication - echo {{ env "VELA_SOURCE_CLIENT" }} # secret used for server <-> worker communication - echo {{ env "VELA_SECRET" }} ``` ### Patches _Has the problem been patched? What versions should users upgrade to?_ * Upgrade to `0.6.1` #### Additional Recommended Action(s) * Rotate all secrets ### Workarounds _Is there a way for users to fix or remediate the vulnerability without upgrading?_ * No ### For more information If you have any questions or comments about this advisory: * Email us at [vela@target.com](mailto:vela@target.com)

Metadata

Created: 2022-02-15T00:19:57Z
Modified: 2022-02-15T00:19:57Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/02/GHSA-gv2h-gf8m-r68j/GHSA-gv2h-gf8m-r68j.json
CWE IDs: ["CWE-200", "CWE-78"]
Alternative ID: GHSA-gv2h-gf8m-r68j
Finding: F404
Auto approve: 1