CVE-2020-26294 Information

Description

Vela is a Pipeline Automation (CI/CD) framework built on Linux container technology written in Golang. In Vela compiler before version 0.6.1 there is a vulnerability which allows exposure of server configuration. It impacts all users of Vela. An attacker can use Sprig’s env function to retrieve configuration information see referenced GHSA for an example. This has been fixed in version 0.6.1. In addition to upgrading it is recommended to rotate all secrets.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Reference

https://github.com/go-vela/compiler/security/advisories/GHSA-gv2h-gf8m-r68j https://pkg.go.dev/github.com/go-vela/compiler/compiler https://github.com/go-vela/compiler/commit/f1ace5f8a05c95c4d02264556e38a959ee2d9bda

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

LOW

Availability Impact

NONE

Base Score

NONE

Base Severity

5.3