Vulnerability Description
Vela is a Pipeline Automation (CI/CD) framework built on Linux container technology written in Golang. In Vela compiler before version 0.6.1 there is a vulnerability which allows exposure of server configuration. It impacts all users of Vela. An attacker can use Sprig's `env` function to retrieve configuration information, see referenced GHSA for an example. This has been fixed in version 0.6.1. In addition to upgrading, it is recommended to rotate all secrets.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Target | Compiler | < 0.6.1 |
Related Weaknesses (CWE)
References
- https://github.com/go-vela/compiler/commit/f1ace5f8a05c95c4d02264556e38a959ee2d9PatchThird Party Advisory
- https://github.com/go-vela/compiler/security/advisories/GHSA-gv2h-gf8m-r68jExploitThird Party Advisory
- https://pkg.go.dev/github.com/go-vela/compiler/compilerProductThird Party Advisory
- https://github.com/go-vela/compiler/commit/f1ace5f8a05c95c4d02264556e38a959ee2d9PatchThird Party Advisory
- https://github.com/go-vela/compiler/security/advisories/GHSA-gv2h-gf8m-r68jExploitThird Party Advisory
- https://pkg.go.dev/github.com/go-vela/compiler/compilerProductThird Party Advisory
FAQ
What is CVE-2020-26294?
CVE-2020-26294 is a vulnerability with a CVSS score of 7.4 (HIGH). Vela is a Pipeline Automation (CI/CD) framework built on Linux container technology written in Golang. In Vela compiler before version 0.6.1 there is a vulnerability which allows exposure of server co...
How severe is CVE-2020-26294?
CVE-2020-26294 has been rated HIGH with a CVSS base score of 7.4/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2020-26294?
Check the references section above for vendor advisories and patch information. Affected products include: Target Compiler.