CVE-2024-28236

Name of the Vulnerable Software and Affected Versions Vela versions prior to 0.23.2

Description Vela pipelines can use variable substitution combined with insensitive fields like parameters, image, and entrypoint to inject secrets into a plugin/image and bypass log masking, exposing secrets without the use of the commands block. This unexpected behavior primarily impacts secrets restricted by the "no commands" option, leading to unintended use of the secret value and increased risk of exposing the secret during image execution. The pipeline author must supply secrets to a plugin that prints parameters in logs, and parameters should be treated as insensitive. While Vela provides secrets masking, secrets exposure is not entirely solved by the masking process, and there is a responsibility on the end-user to understand how values injected into a plugin are used.

Recommendations For versions prior to 0.23.2, upgrade to version 0.23.2 to address the issue. For users unable to upgrade, do not provide sensitive values to plugins that can potentially expose them, especially in parameters that are not intended to be used for sensitive values. Ensure plugins follow best practices to avoid logging parameters that are expected to be sensitive. Minimize secrets with pull request events enabled. Make use of the build approval setting, restricting builds from untrusted users. Limit use of shared secrets, as they are less restrictive to access by nature.