CVE-2020-26294 - OpenCVE

Vela is a Pipeline Automation (CI/CD) framework built on Linux container technology written in Golang. In Vela compiler before version 0.6.1 there is a vulnerability which allows exposure of server configuration. It impacts all users of Vela. An attacker can use Sprig's `env` function to retrieve configuration information, see referenced GHSA for an example. This has been fixed in version 0.6.1. In addition to upgrading, it is recommended to rotate all secrets.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:L/Au:N/C:P/I:N/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Target	Compiler

Configuration 1 [-]

cpe:2.3:a:target:compiler:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/go-vela/compiler/commit/f1ace5f8a05c95c4d02264556e38a959ee2d9bda
https://github.com/go-vela/compiler/security/advisories/GHSA-gv2h-gf8m-r68j
https://pkg.go.dev/github.com/go-vela/compiler/compiler

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2021-01-04T18:35:14

Updated: 2024-08-04T15:56:03.799Z

Reserved: 2020-10-01T00:00:00

Link: CVE-2020-26294

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2021-01-04T19:15:15.110

Modified: 2021-01-14T17:01:09.177

Link: CVE-2020-26294

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "compiler", "vendor": "go-vela", "versions": [{"status": "affected", "version": "< 0.6.1"}]}], "descriptions": [{"lang": "en", "value": "Vela is a Pipeline Automation (CI/CD) framework built on Linux container technology written in Golang. In Vela compiler before version 0.6.1 there is a vulnerability which allows exposure of server configuration. It impacts all users of Vela. An attacker can use Sprig's `env` function to retrieve configuration information, see referenced GHSA for an example. This has been fixed in version 0.6.1. In addition to upgrading, it is recommended to rotate all secrets."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-78", "description": "CWE-78 OS Command Injection", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-01-04T18:35:13", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/go-vela/compiler/security/advisories/GHSA-gv2h-gf8m-r68j"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/go-vela/compiler/commit/f1ace5f8a05c95c4d02264556e38a959ee2d9bda"}, {"tags": ["x_refsource_MISC"], "url": "https://pkg.go.dev/github.com/go-vela/compiler/compiler"}], "source": {"advisory": "GHSA-gv2h-gf8m-r68j", "discovery": "UNKNOWN"}, "title": "Exposure of server configuration", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2020-26294", "STATE": "PUBLIC", "TITLE": "Exposure of server configuration"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "compiler", "version": {"version_data": [{"version_value": "< 0.6.1"}]}}]}, "vendor_name": "go-vela"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Vela is a Pipeline Automation (CI/CD) framework built on Linux container technology written in Golang. In Vela compiler before version 0.6.1 there is a vulnerability which allows exposure of server configuration. It impacts all users of Vela. An attacker can use Sprig's `env` function to retrieve configuration information, see referenced GHSA for an example. This has been fixed in version 0.6.1. In addition to upgrading, it is recommended to rotate all secrets."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-78 OS Command Injection"}]}]}, "references": {"reference_data": [{"name": "https://github.com/go-vela/compiler/security/advisories/GHSA-gv2h-gf8m-r68j", "refsource": "CONFIRM", "url": "https://github.com/go-vela/compiler/security/advisories/GHSA-gv2h-gf8m-r68j"}, {"name": "https://github.com/go-vela/compiler/commit/f1ace5f8a05c95c4d02264556e38a959ee2d9bda", "refsource": "MISC", "url": "https://github.com/go-vela/compiler/commit/f1ace5f8a05c95c4d02264556e38a959ee2d9bda"}, {"name": "https://pkg.go.dev/github.com/go-vela/compiler/compiler", "refsource": "MISC", "url": "https://pkg.go.dev/github.com/go-vela/compiler/compiler"}]}, "source": {"advisory": "GHSA-gv2h-gf8m-r68j", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T15:56:03.799Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/go-vela/compiler/security/advisories/GHSA-gv2h-gf8m-r68j"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/go-vela/compiler/commit/f1ace5f8a05c95c4d02264556e38a959ee2d9bda"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://pkg.go.dev/github.com/go-vela/compiler/compiler"}]}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2020-26294", "datePublished": "2021-01-04T18:35:14", "dateReserved": "2020-10-01T00:00:00", "dateUpdated": "2024-08-04T15:56:03.799Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:target:compiler:*:*:*:*:*:*:*:*", "matchCriteriaId": "169B58E8-A809-40F9-A10D-3DD07BC24E76", "versionEndExcluding": "0.6.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Vela is a Pipeline Automation (CI/CD) framework built on Linux container technology written in Golang. In Vela compiler before version 0.6.1 there is a vulnerability which allows exposure of server configuration. It impacts all users of Vela. An attacker can use Sprig's `env` function to retrieve configuration information, see referenced GHSA for an example. This has been fixed in version 0.6.1. In addition to upgrading, it is recommended to rotate all secrets."}, {"lang": "es", "value": "Vela es un framework de Pipeline Automation (CI/CD) construido sobre la tecnolog\u00eda de contenedores de Linux escrita en Golang. En el compilador de Vela versiones anteriores a 0.6.1, se presenta una vulnerabilidad que permite exponer la configuraci\u00f3n del servidor. Esto afecta a todos los usuarios de Vela. Un atacante puede usar la funci\u00f3n \"env\" de Sprig para recuperar informaci\u00f3n de configuraci\u00f3n; consulte GHSA referenciada para un ejemplo. Esto se ha sido corregido en la versi\u00f3n 0.6.1. Adem\u00e1s de actualizar, se recomienda rotar todos los secretos."}], "id": "CVE-2020-26294", "lastModified": "2021-01-14T17:01:09.177", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 4.0, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2021-01-04T19:15:15.110", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/go-vela/compiler/commit/f1ace5f8a05c95c4d02264556e38a959ee2d9bda"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/go-vela/compiler/security/advisories/GHSA-gv2h-gf8m-r68j"}, {"source": "security-advisories@github.com", "tags": ["Product", "Third Party Advisory"], "url": "https://pkg.go.dev/github.com/go-vela/compiler/compiler"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-78"}], "source": "security-advisories@github.com", "type": "Primary"}]}