Vulnerability Description
Woodpecker is a community fork of the Drone CI system. In affected versions an attacker can post malformed webhook data witch lead to an update of the repository data that can e.g. allow the takeover of an repo. This is only critical if the CI is configured for public usage and connected to a forge witch is also in public usage. This issue has been addressed in version 1.0.2. Users are advised to upgrade. Users unable to upgrade should secure the CI system by making it inaccessible to untrusted entities, for example, by placing it behind a firewall.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Woodpecker-Ci | Woodpecker | >= 1.0.0, < 1.0.2 |
Related Weaknesses (CWE)
References
- https://github.com/woodpecker-ci/woodpecker/commit/6e4c2f84cc84661d58cf1c0e5c421Patch
- https://github.com/woodpecker-ci/woodpecker/pull/2221Issue Tracking
- https://github.com/woodpecker-ci/woodpecker/pull/2222Issue Tracking
- https://github.com/woodpecker-ci/woodpecker/security/advisories/GHSA-4gcf-5m39-9Vendor Advisory
- https://github.com/woodpecker-ci/woodpecker/commit/6e4c2f84cc84661d58cf1c0e5c421Patch
- https://github.com/woodpecker-ci/woodpecker/pull/2221Issue Tracking
- https://github.com/woodpecker-ci/woodpecker/pull/2222Issue Tracking
- https://github.com/woodpecker-ci/woodpecker/security/advisories/GHSA-4gcf-5m39-9Vendor Advisory
FAQ
What is CVE-2023-40034?
CVE-2023-40034 is a vulnerability with a CVSS score of 8.1 (HIGH). Woodpecker is a community fork of the Drone CI system. In affected versions an attacker can post malformed webhook data witch lead to an update of the repository data that can e.g. allow the takeover ...
How severe is CVE-2023-40034?
CVE-2023-40034 has been rated HIGH with a CVSS base score of 8.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2023-40034?
Check the references section above for vendor advisories and patch information. Affected products include: Woodpecker-Ci Woodpecker.