Vulnerabilities > CVE-2020-26294 - Unspecified vulnerability in Target Compiler
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
LOW Integrity impact
NONE Availability impact
NONE Summary
Vela is a Pipeline Automation (CI/CD) framework built on Linux container technology written in Golang. In Vela compiler before version 0.6.1 there is a vulnerability which allows exposure of server configuration. It impacts all users of Vela. An attacker can use Sprig's `env` function to retrieve configuration information, see referenced GHSA for an example. This has been fixed in version 0.6.1. In addition to upgrading, it is recommended to rotate all secrets.
Vulnerable Configurations
References
- https://github.com/go-vela/compiler/commit/f1ace5f8a05c95c4d02264556e38a959ee2d9bda
- https://github.com/go-vela/compiler/commit/f1ace5f8a05c95c4d02264556e38a959ee2d9bda
- https://github.com/go-vela/compiler/security/advisories/GHSA-gv2h-gf8m-r68j
- https://github.com/go-vela/compiler/security/advisories/GHSA-gv2h-gf8m-r68j
- https://pkg.go.dev/github.com/go-vela/compiler/compiler
- https://pkg.go.dev/github.com/go-vela/compiler/compiler