Jordan Sussman

**Name of the Vulnerable Software and Affected Versions** Vela versions 0.7.0 through 0.7.4 **Description** The issue concerns an authentication mechanism added in version 0.7.0 of Vela, which enables malicious users to obtain secrets by utilizing injected credentials within the `~/.netrc` file. This can be achieved by creating a Vela server, logging in to the Vela UI, promoting oneself to a Vela administrator, activating a repository, and adding a `.vela.yml` file with specific content to the repository. The vulnerability allows access to secrets, which can be obtained by running a script with environment-specific settings. **Recommendations** For Vela versions 0.7.0 through 0.7.4, upgrade to version 0.7.5 or later to resolve the issue. As a temporary workaround, consider restricting access to the `~/.netrc` file and the `github.com/go-vela/server` API endpoint to minimize the risk of exploitation. Avoid using the `VELA TOKEN` environment variable in the affected API endpoint until the issue is resolved.