CVE-2020-26294

Vela is a Pipeline Automation (CI/CD) framework built on Linux container technology written in Golang. In Vela compiler before version 0.6.1 there is a vulnerability which allows exposure of server configuration. It impacts all users of Vela. An attacker can use Sprig's `env` function to retrieve configuration information, see referenced GHSA for an example. This has been fixed in version 0.6.1. In addition to upgrading, it is recommended to rotate all secrets.

CVSS v3 5.3 MEDIUM
CVSS v2.0 5.0 MEDIUM

5.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

5.0^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:L/Au:N/C:P/I:N/A:N

Exploitability : 10.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
https://github.com/go-vela/compiler/commit/f1ace5f8a05c95c4d02264556e38a959ee2d9bda	Patch Third Party Advisory
https://github.com/go-vela/compiler/security/advisories/GHSA-gv2h-gf8m-r68j	Exploit Third Party Advisory
https://pkg.go.dev/github.com/go-vela/compiler/compiler	Product Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:target:compiler:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2021-01-04 19:15

Updated : 2024-02-28 18:08

NVD link : CVE-2020-26294

Mitre link : CVE-2020-26294

CVE.ORG link : CVE-2020-26294

JSON object : View

Products Affected

target

compiler

CWE

CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

{"id": "CVE-2020-26294", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 5.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 3.9}, {"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.4, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 4.0, "exploitabilityScore": 2.8}]}, "published": "2021-01-04T19:15:15.110", "references": [{"url": "https://github.com/go-vela/compiler/commit/f1ace5f8a05c95c4d02264556e38a959ee2d9bda", "tags": ["Patch", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/go-vela/compiler/security/advisories/GHSA-gv2h-gf8m-r68j", "tags": ["Exploit", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://pkg.go.dev/github.com/go-vela/compiler/compiler", "tags": ["Product", "Third Party Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-78"}]}], "descriptions": [{"lang": "en", "value": "Vela is a Pipeline Automation (CI/CD) framework built on Linux container technology written in Golang. In Vela compiler before version 0.6.1 there is a vulnerability which allows exposure of server configuration. It impacts all users of Vela. An attacker can use Sprig's `env` function to retrieve configuration information, see referenced GHSA for an example. This has been fixed in version 0.6.1. In addition to upgrading, it is recommended to rotate all secrets."}, {"lang": "es", "value": "Vela es un framework de Pipeline Automation (CI/CD) construido sobre la tecnolog\u00eda de contenedores de Linux escrita en Golang. En el compilador de Vela versiones anteriores a 0.6.1, se presenta una vulnerabilidad que permite exponer la configuraci\u00f3n del servidor. Esto afecta a todos los usuarios de Vela. Un atacante puede usar la funci\u00f3n \"env\" de Sprig para recuperar informaci\u00f3n de configuraci\u00f3n; consulte GHSA referenciada para un ejemplo. Esto se ha sido corregido en la versi\u00f3n 0.6.1. Adem\u00e1s de actualizar, se recomienda rotar todos los secretos."}], "lastModified": "2021-01-14T17:01:09.177", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:target:compiler:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "169B58E8-A809-40F9-A10D-3DD07BC24E76", "versionEndExcluding": "0.6.1"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}