Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-3wf2-2pq4-4rvc: Woodpecker's custom environment variables allow to alter execution flow of plugins

Impact

The server allow to create any user who can trigger a pipeline run malicious workflows:

  • Those workflows can either lead to a host takeover that runs the agent executing the workflow.
  • Or allow to extract the secrets who would be normally provided to the plugins who’s entrypoint are overwritten.

Patches

https://github.com/woodpecker-ci/woodpecker/pull/3909 https://github.com/woodpecker-ci/woodpecker/pull/3934

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading? Enable the “gated” repo feature and review each change upfront of running

References

  • https://github.com/woodpecker-ci/woodpecker/pull/3909
  • https://github.com/woodpecker-ci/woodpecker/pull/3934
  • https://github.com/woodpecker-ci/woodpecker-security/issues/10 (info will be published later at https://github.com/woodpecker-ci/woodpecker/issues/3929)
  • https://github.com/woodpecker-ci/woodpecker/issues/3929 (info will be published later once we got adoption of the update)

Credits

  • Daniel Kilimnik @D_K_Dev (Neodyme AG)
  • Felipe Custodio Romero @localo (Neodyme AG)
ghsa
Open in Source
#vulnerability#git

Woodpecker’s custom environment variables allow to alter execution flow of plugins

High severity GitHub Reviewed Published Jul 18, 2024 in woodpecker-ci/woodpecker • Updated Jul 19, 2024

ghsa: Latest News

GHSA-7p9f-6x8j-gxxp: CRI-O: Maliciously structured checkpoint file can gain arbitrary node access
ghsa