Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Exposure of server configuration
Vulnerability Description
Vela is a Pipeline Automation (CI/CD) framework built on Linux container technology written in Golang. In Vela compiler before version 0.6.1 there is a vulnerability which allows exposure of server configuration. It impacts all users of Vela. An attacker can use Sprig's `env` function to retrieve configuration information, see referenced GHSA for an example. This has been fixed in version 0.6.1. In addition to upgrading, it is recommended to rotate all secrets.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N
Vulnerability Type
OS命令中使用的特殊元素转义处理不恰当(OS命令注入)
Vulnerability Title
Target Vela 操作系统命令注入漏洞
Vulnerability Description
Target Vela是加拿大Target公司的一个基于Go语言、Linux容器技术的管道自动化(CI/CD)框架。 Vela 存在安全漏洞,该漏洞允许公开服务器配置。攻击者可利用该漏洞可以使用Sprig的env函数来检索配置信息。
CVSS Information
N/A
Vulnerability Type
N/A