CVE-2021-21432

Sažetak

Vela is a Pipeline Automation (CI/CD) framework built on Linux container technology written in Golang. An authentication mechanism added in version 0.7.0 enables some malicious user to obtain secrets utilizing the injected credentials within the `~/.netrc` file. Refer to the referenced GitHub Security Advisory for complete details. This is fixed in version 0.7.5.

Reference

https://pkg.go.dev/github.com/go-vela/server
https://github.com/go-vela/server/commit/cb4352918b8ecace9fe969b90404d337b0744d46
https://github.com/go-vela/server/releases/tag/v0.7.5
https://github.com/go-vela/server/pull/337
https://github.com/go-vela/server/security/advisories/GHSA-8j3f-mhq8-gmh4

CVSS

Base:	3.5
Impact:	2.9
Exploitability:	6.8

Pristup

Vektor	Složenost	Autentikacija
NETWORK	MEDIUM	SINGLE

Impact

Povjerljivost	Cjelovitost	Dostupnost
PARTIAL	NONE	NONE

CVSS vektor

AV:N/AC:M/Au:S/C:P/I:N/A:N

Zadnje važnije ažuriranje

12-08-2022 - 18:02

Objavljeno

09-04-2021 - 18:15