Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-xw35-rrcp-g7xm: Woodpecker's custom workspace allow to overwrite plugin entrypoint executable

Impact

The server allow to create any user who can trigger a pipeline run malicious workflows:

  • Those workflows can either lead to a host takeover that runs the agent executing the workflow.
  • Or allow to extract the secrets who would be normally provided to the plugins who’s entrypoint are overwritten.

Patches

https://github.com/woodpecker-ci/woodpecker/pull/3933

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading? Enable the “gated” repo feature and review each change upfront

References

  • https://github.com/woodpecker-ci/woodpecker/pull/3933
  • https://github.com/woodpecker-ci/woodpecker-security/pull/11
  • https://github.com/woodpecker-ci/woodpecker-security/issues/8 (info will be published later at https://github.com/woodpecker-ci/woodpecker/issues/3924)
  • https://github.com/woodpecker-ci/woodpecker-security/issues/9 (info will be published later at https://github.com/woodpecker-ci/woodpecker/issues/3924)
  • https://github.com/woodpecker-ci/woodpecker/issues/3924 (info will be published later once we got adoption of the update)

Credits

  • Daniel Kilimnik @D_K_Dev (Neodyme AG)
  • Felipe Custodio Romero @localo (Neodyme AG)
ghsa
Open in Source
#vulnerability#git

Woodpecker’s custom workspace allow to overwrite plugin entrypoint executable

High severity GitHub Reviewed Published Jul 18, 2024 in woodpecker-ci/woodpecker • Updated Jul 19, 2024

ghsa: Latest News

GHSA-7p9f-6x8j-gxxp: CRI-O: Maliciously structured checkpoint file can gain arbitrary node access
ghsa