CVE-2022-39395

Name of the Vulnerable Software and Affected Versions Vela Server versions prior to 0.16.0 Vela Worker versions prior to 0.16.0 Vela UI versions prior to 0.17.0

Description The issue concerns default configurations in Vela that allow exploitation and container breakouts. Specifically, running Vela plugins as privileged Docker containers can allow a malicious user to break out of the container and gain access to the worker host operating system. Additionally, the default allowed repositories setting permits anyone with a GitHub account to enable a repository within Vela and run builds, potentially allowing arbitrary code execution. The default enabled events also allow pull requests, which can pose a risk if secrets within Vela are configured to be available in pull requests.

Recommendations For Vela Server versions prior to 0.16.0, upgrade to version 0.16.0 or later and explicitly change the default settings to configure Vela as desired. For Vela Worker versions prior to 0.16.0, upgrade to version 0.16.0 or later and explicitly change the default settings to configure Vela as desired. For Vela UI versions prior to 0.17.0, upgrade to version 0.17.0 or later and explicitly change the default settings to configure Vela as desired. As a temporary workaround, consider adjusting the worker's VELA RUNTIME PRIVILEGED IMAGES setting to be explicitly empty, leveraging the VELA REPO ALLOWLIST setting on the server component to restrict access to a list of repositories that are allowed to be enabled, and/or auditing enabled repositories and disabling pull requests if they are not needed.