CVE-2024-41121

Name of the Vulnerable Software and Affected Versions Woodpecker versions prior to 2.7.0

Description The server allows any user to create and trigger malicious workflows, potentially leading to a host takeover or extraction of secrets normally provided to plugins. This issue can be exploited through the custom workspace feature, which allows overwriting plugin entrypoint executables.

Recommendations For versions prior to 2.7.0, upgrade to release version 2.7.0 to address the issue. As a temporary workaround, enable the "gated" repo feature and review each change upfront to minimize the risk of exploitation. Restrict access to the custom workspace feature to prevent overwriting plugin entrypoint executables until the issue is resolved.