← volver
CVE-2020-26294

Exposure of server configuration

CVSS 7.4 HIGHEPSS 1.8%CWE-78
Vela is a Pipeline Automation (CI/CD) framework built on Linux container technology written in Golang. In Vela compiler before version 0.6.1 there is a vulnerability which allows exposure of server configuration. It impacts all users of Vela. An attacker can use Sprig's `env` function to retrieve configuration information, see referenced GHSA for an example. This has been fixed in version 0.6.1. In addition to upgrading, it is recommended to rotate all secrets.
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N
Productos afectados
go-vela · compiler

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →
Referencias
https://github.com/go-vela/compiler/commit/f1ace5f8a05c95c4d02264556e38a959ee2d9bdahttps://github.com/go-vela/compiler/security/advisories/GHSA-gv2h-gf8m-r68jhttps://pkg.go.dev/github.com/go-vela/compiler/compiler