Vela is a Pipeline Automation (CI/CD) framework built on Linux container technology written in Golang. In Vela compiler before version 0.6.1 there is a vulnerability which allows exposure of server configuration. It impacts all users of Vela. An attacker can use Sprig’s `env` function to retrieve configuration information, see referenced GHSA for an example. This has been fixed in version 0.6.1. In addition to upgrading, it is recommended to rotate all secrets.
Source: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26294
Reference (s):
- https://github.com/go-vela/compiler/security/advisories/GHSA-gv2h-gf8m-r68j
- URL: https://github.com/go-vela/compiler/security/advisories/GHSA-gv2h-gf8m-r68j
- https://github.com/go-vela/compiler/commit/f1ace5f8a05c95c4d02264556e38a959ee2d9bda
- URL: https://github.com/go-vela/compiler/commit/f1ace5f8a05c95c4d02264556e38a959ee2d9bda
- https://pkg.go.dev/github.com/go-vela/compiler/compiler