漏洞标题
Vela Server 的 Webhook 负载数据验证不充分
漏洞描述信息
Vela 是一个基于 Linux 容器技术并用 Golang 编写的管道自动化(CI/CD)框架。在 0.25.3 和 0.26.3 版本之前,通过伪造具有特定头信息和主体数据的 webhook 消息,攻击者可以将一个仓库的所有权及其仓库级别的密钥转移到另一个仓库。随后,攻击者可以通过对仓库进行后续构建来窃取这些密钥。在 Vela 中,拥有启用的仓库并能够访问仓库级别的 CI 密钥的用户易受此漏洞攻击;同时,任何能够访问 CI 实例和相关源代码控制管理器的用户也可以利用此漏洞进行攻击。0.25.3 和 0.26.3 版本修复了此问题。目前没有已知的解决方法。
CVSS信息
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
漏洞类别
信息暴露
漏洞标题
Vela Server has Insufficient Webhook Payload Data Verification
漏洞描述信息
Vela is a Pipeline Automation (CI/CD) framework built on Linux container technology written in Golang. Prior to versions 0.25.3 and 0.26.3, by spoofing a webhook payload with a specific set of headers and body data, an attacker could transfer ownership of a repository and its repo level secrets to a separate repository. These secrets could be exfiltrated by follow up builds to the repository. Users with an enabled repository with access to repo level CI secrets in Vela are vulnerable to the exploit, and any user with access to the CI instance and the linked source control manager can perform the exploit. Versions 0.25.3 and 0.26.3 fix the issue. No known workarounds are available.
CVSS信息
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
漏洞类别
使用欺骗进行的认证绕过