Matt-Fevold

Name of the Vulnerable Software and Affected Versions: Vela versions prior to 0.6.1 Vela compiler versions prior to 0.6.1 Description: The issue allows exposure of server configuration, impacting all users of Vela. An attacker can use Sprig's `env` function to retrieve configuration information. This can be done via pipeline template functionality. For example, using the `env` function in a template to echo sensitive information such as `VELA SOURCE CLIENT` or `VELA SECRET`. Recommendations: For versions prior to 0.6.1, upgrade to version 0.6.1. Rotate all secrets to minimize the risk of exploitation. As a temporary workaround, consider restricting the use of Sprig's `env` function in pipeline templates until the issue is resolved.