Vulnerability Details CVE-2020-26294
Vela is a Pipeline Automation (CI/CD) framework built on Linux container technology written in Golang. In Vela compiler before version 0.6.1 there is a vulnerability which allows exposure of server configuration. It impacts all users of Vela. An attacker can use Sprig's `env` function to retrieve configuration information, see referenced GHSA for an example. This has been fixed in version 0.6.1. In addition to upgrading, it is recommended to rotate all secrets.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.004
EPSS Ranking 56.8%
CVSS Severity
CVSS v3 Score 7.4
CVSS v2 Score 5.0
References
- https://github.com/go-vela/compiler/commit/f1ace5f8a05c95c4d02264556e38a959ee2d9bda
- https://github.com/go-vela/compiler/security/advisories/GHSA-gv2h-gf8m-r68j
- https://pkg.go.dev/github.com/go-vela/compiler/compiler
- https://github.com/go-vela/compiler/commit/f1ace5f8a05c95c4d02264556e38a959ee2d9bda
- https://github.com/go-vela/compiler/security/advisories/GHSA-gv2h-gf8m-r68j
- https://pkg.go.dev/github.com/go-vela/compiler/compiler
Products affected by CVE-2020-26294
-
cpe:2.3:a:target:compiler:-
-
cpe:2.3:a:target:compiler:0.1.0
-
cpe:2.3:a:target:compiler:0.1.1
-
cpe:2.3:a:target:compiler:0.1.2
-
cpe:2.3:a:target:compiler:0.1.3
-
cpe:2.3:a:target:compiler:0.1.4
-
cpe:2.3:a:target:compiler:0.1.5
-
cpe:2.3:a:target:compiler:0.1.6
-
cpe:2.3:a:target:compiler:0.2.0
-
cpe:2.3:a:target:compiler:0.3.0
-
cpe:2.3:a:target:compiler:0.4.0
-
cpe:2.3:a:target:compiler:0.4.1
-
cpe:2.3:a:target:compiler:0.4.2
-
cpe:2.3:a:target:compiler:0.4.3
-
cpe:2.3:a:target:compiler:0.5.0
-
cpe:2.3:a:target:compiler:0.5.1
-
cpe:2.3:a:target:compiler:0.6.0