CVE-2021-21432

Name of the Vulnerable Software and Affected Versions Vela versions 0.7.0 through 0.7.4

Description The issue concerns an authentication mechanism added in version 0.7.0 of Vela, which enables malicious users to obtain secrets by utilizing injected credentials within the ~/.netrc file. This can be achieved by creating a Vela server, logging in to the Vela UI, promoting oneself to a Vela administrator, activating a repository, and adding a .vela.yml file with specific content to the repository. The vulnerability allows access to secrets, which can be obtained by running a script with environment-specific settings.

Recommendations For Vela versions 0.7.0 through 0.7.4, upgrade to version 0.7.5 or later to resolve the issue. As a temporary workaround, consider restricting access to the ~/.netrc file and the github.com/go-vela/server API endpoint to minimize the risk of exploitation. Avoid using the VELA TOKEN environment variable in the affected API endpoint until the issue is resolved.