Search
Find a vulnerability
Search criteria
2 vulnerabilities found for compiler by target
CVE-2020-26294 (GCVE-0-2020-26294)
Vulnerability from nvd – Published: 2021-01-04 18:35 – Updated: 2024-08-04 15:56
VLAI
EPSS
VEX
Title
Exposure of server configuration
Summary
Vela is a Pipeline Automation (CI/CD) framework built on Linux container technology written in Golang. In Vela compiler before version 0.6.1 there is a vulnerability which allows exposure of server configuration. It impacts all users of Vela. An attacker can use Sprig's `env` function to retrieve configuration information, see referenced GHSA for an example. This has been fixed in version 0.6.1. In addition to upgrading, it is recommended to rotate all secrets.
Severity
7.4 (High)
CWE
- CWE-78 - OS Command Injection
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/go-vela/compiler/security/advi… | x_refsource_CONFIRM |
| https://github.com/go-vela/compiler/commit/f1ace5… | x_refsource_MISC |
| https://pkg.go.dev/github.com/go-vela/compiler/compiler | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T15:56:03.799Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/go-vela/compiler/security/advisories/GHSA-gv2h-gf8m-r68j"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/go-vela/compiler/commit/f1ace5f8a05c95c4d02264556e38a959ee2d9bda"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://pkg.go.dev/github.com/go-vela/compiler/compiler"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "compiler",
"vendor": "go-vela",
"versions": [
{
"status": "affected",
"version": "\u003c 0.6.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Vela is a Pipeline Automation (CI/CD) framework built on Linux container technology written in Golang. In Vela compiler before version 0.6.1 there is a vulnerability which allows exposure of server configuration. It impacts all users of Vela. An attacker can use Sprig\u0027s `env` function to retrieve configuration information, see referenced GHSA for an example. This has been fixed in version 0.6.1. In addition to upgrading, it is recommended to rotate all secrets."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78 OS Command Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-01-04T18:35:13.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/go-vela/compiler/security/advisories/GHSA-gv2h-gf8m-r68j"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/go-vela/compiler/commit/f1ace5f8a05c95c4d02264556e38a959ee2d9bda"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://pkg.go.dev/github.com/go-vela/compiler/compiler"
}
],
"source": {
"advisory": "GHSA-gv2h-gf8m-r68j",
"discovery": "UNKNOWN"
},
"title": "Exposure of server configuration",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2020-26294",
"STATE": "PUBLIC",
"TITLE": "Exposure of server configuration"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "compiler",
"version": {
"version_data": [
{
"version_value": "\u003c 0.6.1"
}
]
}
}
]
},
"vendor_name": "go-vela"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Vela is a Pipeline Automation (CI/CD) framework built on Linux container technology written in Golang. In Vela compiler before version 0.6.1 there is a vulnerability which allows exposure of server configuration. It impacts all users of Vela. An attacker can use Sprig\u0027s `env` function to retrieve configuration information, see referenced GHSA for an example. This has been fixed in version 0.6.1. In addition to upgrading, it is recommended to rotate all secrets."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-78 OS Command Injection"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/go-vela/compiler/security/advisories/GHSA-gv2h-gf8m-r68j",
"refsource": "CONFIRM",
"url": "https://github.com/go-vela/compiler/security/advisories/GHSA-gv2h-gf8m-r68j"
},
{
"name": "https://github.com/go-vela/compiler/commit/f1ace5f8a05c95c4d02264556e38a959ee2d9bda",
"refsource": "MISC",
"url": "https://github.com/go-vela/compiler/commit/f1ace5f8a05c95c4d02264556e38a959ee2d9bda"
},
{
"name": "https://pkg.go.dev/github.com/go-vela/compiler/compiler",
"refsource": "MISC",
"url": "https://pkg.go.dev/github.com/go-vela/compiler/compiler"
}
]
},
"source": {
"advisory": "GHSA-gv2h-gf8m-r68j",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2020-26294",
"datePublished": "2021-01-04T18:35:14.000Z",
"dateReserved": "2020-10-01T00:00:00.000Z",
"dateUpdated": "2024-08-04T15:56:03.799Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-26294 (GCVE-0-2020-26294)
Vulnerability from cvelistv5 – Published: 2021-01-04 18:35 – Updated: 2024-08-04 15:56
VLAI
EPSS
VEX
Title
Exposure of server configuration
Summary
Vela is a Pipeline Automation (CI/CD) framework built on Linux container technology written in Golang. In Vela compiler before version 0.6.1 there is a vulnerability which allows exposure of server configuration. It impacts all users of Vela. An attacker can use Sprig's `env` function to retrieve configuration information, see referenced GHSA for an example. This has been fixed in version 0.6.1. In addition to upgrading, it is recommended to rotate all secrets.
Severity
7.4 (High)
CWE
- CWE-78 - OS Command Injection
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/go-vela/compiler/security/advi… | x_refsource_CONFIRM |
| https://github.com/go-vela/compiler/commit/f1ace5… | x_refsource_MISC |
| https://pkg.go.dev/github.com/go-vela/compiler/compiler | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T15:56:03.799Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/go-vela/compiler/security/advisories/GHSA-gv2h-gf8m-r68j"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/go-vela/compiler/commit/f1ace5f8a05c95c4d02264556e38a959ee2d9bda"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://pkg.go.dev/github.com/go-vela/compiler/compiler"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "compiler",
"vendor": "go-vela",
"versions": [
{
"status": "affected",
"version": "\u003c 0.6.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Vela is a Pipeline Automation (CI/CD) framework built on Linux container technology written in Golang. In Vela compiler before version 0.6.1 there is a vulnerability which allows exposure of server configuration. It impacts all users of Vela. An attacker can use Sprig\u0027s `env` function to retrieve configuration information, see referenced GHSA for an example. This has been fixed in version 0.6.1. In addition to upgrading, it is recommended to rotate all secrets."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78 OS Command Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-01-04T18:35:13.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/go-vela/compiler/security/advisories/GHSA-gv2h-gf8m-r68j"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/go-vela/compiler/commit/f1ace5f8a05c95c4d02264556e38a959ee2d9bda"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://pkg.go.dev/github.com/go-vela/compiler/compiler"
}
],
"source": {
"advisory": "GHSA-gv2h-gf8m-r68j",
"discovery": "UNKNOWN"
},
"title": "Exposure of server configuration",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2020-26294",
"STATE": "PUBLIC",
"TITLE": "Exposure of server configuration"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "compiler",
"version": {
"version_data": [
{
"version_value": "\u003c 0.6.1"
}
]
}
}
]
},
"vendor_name": "go-vela"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Vela is a Pipeline Automation (CI/CD) framework built on Linux container technology written in Golang. In Vela compiler before version 0.6.1 there is a vulnerability which allows exposure of server configuration. It impacts all users of Vela. An attacker can use Sprig\u0027s `env` function to retrieve configuration information, see referenced GHSA for an example. This has been fixed in version 0.6.1. In addition to upgrading, it is recommended to rotate all secrets."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-78 OS Command Injection"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/go-vela/compiler/security/advisories/GHSA-gv2h-gf8m-r68j",
"refsource": "CONFIRM",
"url": "https://github.com/go-vela/compiler/security/advisories/GHSA-gv2h-gf8m-r68j"
},
{
"name": "https://github.com/go-vela/compiler/commit/f1ace5f8a05c95c4d02264556e38a959ee2d9bda",
"refsource": "MISC",
"url": "https://github.com/go-vela/compiler/commit/f1ace5f8a05c95c4d02264556e38a959ee2d9bda"
},
{
"name": "https://pkg.go.dev/github.com/go-vela/compiler/compiler",
"refsource": "MISC",
"url": "https://pkg.go.dev/github.com/go-vela/compiler/compiler"
}
]
},
"source": {
"advisory": "GHSA-gv2h-gf8m-r68j",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2020-26294",
"datePublished": "2021-01-04T18:35:14.000Z",
"dateReserved": "2020-10-01T00:00:00.000Z",
"dateUpdated": "2024-08-04T15:56:03.799Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}