CVE-2024-41122

Name of the Vulnerable Software and Affected Versions Woodpecker versions prior to 2.7.0

Description The issue allows attackers to create malicious workflows that can lead to host takeover or secret leaks. This is possible because the server allows any user to trigger a pipeline run, and those workflows can either take over the host running the agent or extract secrets normally provided to plugins. The estimated number of potentially affected devices is not specified.

Recommendations For versions prior to 2.7.0, upgrade to release version 2.7.0 to address the issue. As a temporary workaround, enable the "gated" repo feature and review each change upfront of running. There are no other known workarounds for this issue.