Vela is a Pipeline Automation (CI/CD) framework built on Linux container technology written in Golang. In Vela compiler before version 0.6.1 there is a vulnerability which allows exposure of server configuration. It impacts all users of Vela. An attacker can use Sprig's `env` function to retrieve configuration information, see referenced GHSA for an example. This has been fixed in version 0.6.1. In addition to upgrading, it is recommended to rotate all secrets.
History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2021-01-04T18:35:14

Updated: 2024-08-04T15:56:03.799Z

Reserved: 2020-10-01T00:00:00

Link: CVE-2020-26294

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2021-01-04T19:15:15.110

Modified: 2024-11-21T05:19:47.197

Link: CVE-2020-26294

cve-icon Redhat

No data.