Skip to content

Woodpecker's custom environment variables allow to alter execution flow of plugins

High severity GitHub Reviewed Published Jul 18, 2024 in woodpecker-ci/woodpecker • Updated Aug 7, 2024

Package

gomod go.woodpecker-ci.org/woodpecker (Go)

Affected versions

< 2.7.0

Patched versions

2.7.0
gomod go.woodpecker-ci.org/woodpecker/v2 (Go)
< 2.7.0
2.7.0

Description

Impact

The server allow to create any user who can trigger a pipeline run malicious workflows:

  • Those workflows can either lead to a host takeover that runs the agent executing the workflow.
  • Or allow to extract the secrets who would be normally provided to the plugins who's entrypoint are overwritten.

Patches

woodpecker-ci/woodpecker#3909
woodpecker-ci/woodpecker#3934

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?
Enable the "gated" repo feature and review each change upfront of running

References

Credits

  • Daniel Kilimnik @D_K_Dev (Neodyme AG)
  • Felipe Custodio Romero @localo (Neodyme AG)

References

@6543 6543 published to woodpecker-ci/woodpecker Jul 18, 2024
Published to the GitHub Advisory Database Jul 19, 2024
Reviewed Jul 19, 2024
Published by the National Vulnerability Database Jul 19, 2024
Last updated Aug 7, 2024

Severity

High

EPSS score

0.082%
(36th percentile)

Weaknesses

CVE ID

CVE-2024-41122

GHSA ID

GHSA-3wf2-2pq4-4rvc
Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.