漏洞标题
服务器配置曝光
漏洞描述信息
服务器配置曝光
CVSS信息
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
漏洞类别
N/A
漏洞标题
Exposure of server configuration
漏洞描述信息
Vela is a Pipeline Automation (CI/CD) framework built on Linux container technology written in Golang. In Vela compiler before version 0.6.1 there is a vulnerability which allows exposure of server configuration. It impacts all users of Vela. An attacker can use Sprig's `env` function to retrieve configuration information, see referenced GHSA for an example. This has been fixed in version 0.6.1. In addition to upgrading, it is recommended to rotate all secrets.
CVSS信息
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N
漏洞类别
OS命令中使用的特殊元素转义处理不恰当(OS命令注入)
漏洞标题
Target Vela 操作系统命令注入漏洞
漏洞描述信息
Target Vela是加拿大Target公司的一个基于Go语言、Linux容器技术的管道自动化(CI/CD)框架。 Vela 存在安全漏洞,该漏洞允许公开服务器配置。攻击者可利用该漏洞可以使用Sprig的env函数来检索配置信息。
CVSS信息
N/A
漏洞类别
授权问题