CVE-2020-26294

CVSS v3.1

7.4

High

Vector

AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions: Vela versions prior to 0.6.1 Vela compiler versions prior to 0.6.1

Description: The issue allows exposure of server configuration, impacting all users of Vela. An attacker can use Sprig's env function to retrieve configuration information. This can be done via pipeline template functionality. For example, using the env function in a template to echo sensitive information such as VELA SOURCE CLIENT or VELA SECRET.

Recommendations: For versions prior to 0.6.1, upgrade to version 0.6.1. Rotate all secrets to minimize the risk of exploitation. As a temporary workaround, consider restricting the use of Sprig's env function in pipeline templates until the issue is resolved.

Exploit

Fix

Information Disclosure

OS Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-200CWE-78

Related Identifiers

CVE-2020-26294

GHSA-GV2H-GF8M-R68J

GO-2022-0838

Affected Products

Sprig

Vela

Vela Compiler

CVE-2020-26294

Weakness Enumeration

Related Identifiers

Affected Products

References · 9