cvelistv5 - CVE-2022-39395

CVE-2022-39395 (GCVE-0-2022-39395)

Vulnerability from cvelistv5 – Published: 2022-11-10 00:00 – Updated: 2025-04-23 16:38

Summary

Vela is a Pipeline Automation (CI/CD) framework built on Linux container technology written in Golang. In Vela Server and Vela Worker prior to version 0.16.0 and Vela UI prior to version 0.17.0, some default configurations for Vela allow exploitation and container breakouts. Users should upgrade to Server 0.16.0, Worker 0.16.0, and UI 0.17.0 to fix the issue. After upgrading, Vela administrators will need to explicitly change the default settings to configure Vela as desired. Some of the fixes will interrupt existing workflows and will require Vela administrators to modify default settings. However, not applying the patch (or workarounds) will continue existing risk exposure. Some workarounds are available. Vela administrators can adjust the worker's `VELA_RUNTIME_PRIVILEGED_IMAGES` setting to be explicitly empty, leverage the `VELA_REPO_ALLOWLIST` setting on the server component to restrict access to a list of repositories that are allowed to be enabled, and/or audit enabled repositories and disable pull_requests if they are not needed.

Severity ?

9.6 (Critical)


                        
                          CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CWE

CWE-269 - Improper Privilege Management

Assigner

GitHub_M

References

URL

Tags

	https://github.com/go-vela/server/security/adviso…
	https://github.com/go-vela/ui/security/advisories…
	https://github.com/go-vela/worker/security/adviso…
	https://github.com/go-vela/server/commit/05558ee9…
	https://docs.docker.com/engine/security/#docker-d…
	https://github.com/go-vela/server/releases/tag/v0.16.0
	https://github.com/go-vela/ui/releases/tag/v0.17.0
	https://github.com/go-vela/worker/releases/tag/v0.16.0
	https://go-vela.github.io/docs/installation/serve…
	https://go-vela.github.io/docs/installation/worke…

Impacted products

	Vendor	Product	Version
	go-vela	server	Affected: < 0.16.0 Affected: < 0.17.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T12:07:41.884Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/go-vela/server/security/advisories/GHSA-5m7g-pj8w-7593"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/go-vela/ui/security/advisories/GHSA-xf39-98m2-889v"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/go-vela/worker/security/advisories/GHSA-2w78-ffv6-p46w"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/go-vela/server/commit/05558ee99d70f7d6f83bed7c8f78ac0b35fa26f4"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://docs.docker.com/engine/security/#docker-daemon-attack-surface"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/go-vela/server/releases/tag/v0.16.0"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/go-vela/ui/releases/tag/v0.17.0"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/go-vela/worker/releases/tag/v0.16.0"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://go-vela.github.io/docs/installation/server/reference/#vela_repo_allowlist"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://go-vela.github.io/docs/installation/worker/reference/#vela_runtime_privileged_images"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2022-39395",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-04-23T15:46:53.128029Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-04-23T16:38:58.851Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "server",
          "vendor": "go-vela",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 0.16.0"
            },
            {
              "status": "affected",
              "version": "\u003c 0.17.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Vela is a Pipeline Automation (CI/CD) framework built on Linux container technology written in Golang. In Vela Server and Vela Worker prior to version 0.16.0 and Vela UI prior to version 0.17.0, some default configurations for Vela allow exploitation and container breakouts. Users should upgrade to Server 0.16.0, Worker 0.16.0, and UI 0.17.0 to fix the issue. After upgrading, Vela administrators will need to explicitly change the default settings to configure Vela as desired. Some of the fixes will interrupt existing workflows and will require Vela administrators to modify default settings. However, not applying the patch (or workarounds) will continue existing risk exposure. Some workarounds are available. Vela administrators can adjust the worker\u0027s `VELA_RUNTIME_PRIVILEGED_IMAGES` setting to be explicitly empty, leverage the `VELA_REPO_ALLOWLIST` setting on the server component to restrict access to a list of repositories that are allowed to be enabled, and/or audit enabled repositories and disable pull_requests if they are not needed."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "ADJACENT_NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.6,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-269",
              "description": "CWE-269: Improper Privilege Management",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-11-10T00:00:00.000Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "url": "https://github.com/go-vela/server/security/advisories/GHSA-5m7g-pj8w-7593"
        },
        {
          "url": "https://github.com/go-vela/ui/security/advisories/GHSA-xf39-98m2-889v"
        },
        {
          "url": "https://github.com/go-vela/worker/security/advisories/GHSA-2w78-ffv6-p46w"
        },
        {
          "url": "https://github.com/go-vela/server/commit/05558ee99d70f7d6f83bed7c8f78ac0b35fa26f4"
        },
        {
          "url": "https://docs.docker.com/engine/security/#docker-daemon-attack-surface"
        },
        {
          "url": "https://github.com/go-vela/server/releases/tag/v0.16.0"
        },
        {
          "url": "https://github.com/go-vela/ui/releases/tag/v0.17.0"
        },
        {
          "url": "https://github.com/go-vela/worker/releases/tag/v0.16.0"
        },
        {
          "url": "https://go-vela.github.io/docs/installation/server/reference/#vela_repo_allowlist"
        },
        {
          "url": "https://go-vela.github.io/docs/installation/worker/reference/#vela_runtime_privileged_images"
        }
      ],
      "source": {
        "advisory": "GHSA-5m7g-pj8w-7593",
        "discovery": "UNKNOWN"
      },
      "title": "Vela Insecure Defaults"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2022-39395",
    "datePublished": "2022-11-10T00:00:00.000Z",
    "dateReserved": "2022-09-02T00:00:00.000Z",
    "dateUpdated": "2025-04-23T16:38:58.851Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:go-vela:server:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"0.16.0\", \"matchCriteriaId\": \"92189644-4057-41AB-BF5A-BFA398413096\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:go-vela:ui:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"0.17.0\", \"matchCriteriaId\": \"EF033D57-F835-4EB7-9AA7-6D7B2F1E64BA\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:go-vela:worker:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"0.16.0\", \"matchCriteriaId\": \"16935176-86CA-42A1-826F-8881FC07AB8A\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"Vela is a Pipeline Automation (CI/CD) framework built on Linux container technology written in Golang. In Vela Server and Vela Worker prior to version 0.16.0 and Vela UI prior to version 0.17.0, some default configurations for Vela allow exploitation and container breakouts. Users should upgrade to Server 0.16.0, Worker 0.16.0, and UI 0.17.0 to fix the issue. After upgrading, Vela administrators will need to explicitly change the default settings to configure Vela as desired. Some of the fixes will interrupt existing workflows and will require Vela administrators to modify default settings. However, not applying the patch (or workarounds) will continue existing risk exposure. Some workarounds are available. Vela administrators can adjust the worker\u0027s `VELA_RUNTIME_PRIVILEGED_IMAGES` setting to be explicitly empty, leverage the `VELA_REPO_ALLOWLIST` setting on the server component to restrict access to a list of repositories that are allowed to be enabled, and/or audit enabled repositories and disable pull_requests if they are not needed.\"}, {\"lang\": \"es\", \"value\": \"Vela es un framework de Pipeline Automation (CI/CD) construido sobre tecnolog\\u00eda de contenedores de Linux escrita en Golang. En Vela Server y Vela Worker anteriores a la versi\\u00f3n 0.16.0 y Vela UI anteriores a la versi\\u00f3n 0.17.0, algunas configuraciones predeterminadas para Vela permiten la explotaci\\u00f3n y la ruptura de contenedores. Los usuarios deben actualizar a Server 0.16.0, Worker 0.16.0 y UI 0.17.0 para solucionar el problema. Despu\\u00e9s de la actualizaci\\u00f3n, los administradores de Vela deber\\u00e1n cambiar expl\\u00edcitamente la configuraci\\u00f3n predeterminada para configurar Vela como deseen. Algunas de las correcciones interrumpir\\u00e1n los flujos de trabajo existentes y requerir\\u00e1n que los administradores de Vela modifiquen la configuraci\\u00f3n predeterminada. Sin embargo, no aplicar el parche (o workarounds) continuar\\u00e1 la exposici\\u00f3n al riesgo existente. Algunas soluciones est\\u00e1n disponibles. Los administradores de Vela pueden ajustar la configuraci\\u00f3n `VELA_RUNTIME_PRIVILEGED_IMAGES` del trabajador para que est\\u00e9 expl\\u00edcitamente vac\\u00eda, aprovechar la configuraci\\u00f3n `VELA_REPO_ALLOWLIST` en el componente del servidor para restringir el acceso a una lista de repositorios que pueden habilitarse y/o auditar los repositorios habilitados y deshabilitar pull_requests si no son necesarios.\"}]",
      "id": "CVE-2022-39395",
      "lastModified": "2024-11-21T07:18:12.223",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\", \"baseScore\": 9.6, \"baseSeverity\": \"CRITICAL\", \"attackVector\": \"ADJACENT_NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"CHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 6.0}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H\", \"baseScore\": 9.9, \"baseSeverity\": \"CRITICAL\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"CHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 3.1, \"impactScore\": 6.0}]}",
      "published": "2022-11-10T18:15:10.690",
      "references": "[{\"url\": \"https://docs.docker.com/engine/security/#docker-daemon-attack-surface\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Technical Description\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/go-vela/server/commit/05558ee99d70f7d6f83bed7c8f78ac0b35fa26f4\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/go-vela/server/releases/tag/v0.16.0\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Release Notes\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/go-vela/server/security/advisories/GHSA-5m7g-pj8w-7593\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://github.com/go-vela/ui/releases/tag/v0.17.0\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Release Notes\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/go-vela/ui/security/advisories/GHSA-xf39-98m2-889v\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://github.com/go-vela/worker/releases/tag/v0.16.0\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Release Notes\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/go-vela/worker/security/advisories/GHSA-2w78-ffv6-p46w\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://go-vela.github.io/docs/installation/server/reference/#vela_repo_allowlist\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://go-vela.github.io/docs/installation/worker/reference/#vela_runtime_privileged_images\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://docs.docker.com/engine/security/#docker-daemon-attack-surface\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Technical Description\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/go-vela/server/commit/05558ee99d70f7d6f83bed7c8f78ac0b35fa26f4\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/go-vela/server/releases/tag/v0.16.0\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Release Notes\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/go-vela/server/security/advisories/GHSA-5m7g-pj8w-7593\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://github.com/go-vela/ui/releases/tag/v0.17.0\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Release Notes\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/go-vela/ui/security/advisories/GHSA-xf39-98m2-889v\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://github.com/go-vela/worker/releases/tag/v0.16.0\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Release Notes\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/go-vela/worker/security/advisories/GHSA-2w78-ffv6-p46w\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://go-vela.github.io/docs/installation/server/reference/#vela_repo_allowlist\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://go-vela.github.io/docs/installation/worker/reference/#vela_runtime_privileged_images\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}]",
      "sourceIdentifier": "security-advisories@github.com",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-269\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-269\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2022-39395\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2022-11-10T18:15:10.690\",\"lastModified\":\"2024-11-21T07:18:12.223\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Vela is a Pipeline Automation (CI/CD) framework built on Linux container technology written in Golang. In Vela Server and Vela Worker prior to version 0.16.0 and Vela UI prior to version 0.17.0, some default configurations for Vela allow exploitation and container breakouts. Users should upgrade to Server 0.16.0, Worker 0.16.0, and UI 0.17.0 to fix the issue. After upgrading, Vela administrators will need to explicitly change the default settings to configure Vela as desired. Some of the fixes will interrupt existing workflows and will require Vela administrators to modify default settings. However, not applying the patch (or workarounds) will continue existing risk exposure. Some workarounds are available. Vela administrators can adjust the worker\u0027s `VELA_RUNTIME_PRIVILEGED_IMAGES` setting to be explicitly empty, leverage the `VELA_REPO_ALLOWLIST` setting on the server component to restrict access to a list of repositories that are allowed to be enabled, and/or audit enabled repositories and disable pull_requests if they are not needed.\"},{\"lang\":\"es\",\"value\":\"Vela es un framework de Pipeline Automation (CI/CD) construido sobre tecnolog\u00eda de contenedores de Linux escrita en Golang. En Vela Server y Vela Worker anteriores a la versi\u00f3n 0.16.0 y Vela UI anteriores a la versi\u00f3n 0.17.0, algunas configuraciones predeterminadas para Vela permiten la explotaci\u00f3n y la ruptura de contenedores. Los usuarios deben actualizar a Server 0.16.0, Worker 0.16.0 y UI 0.17.0 para solucionar el problema. Despu\u00e9s de la actualizaci\u00f3n, los administradores de Vela deber\u00e1n cambiar expl\u00edcitamente la configuraci\u00f3n predeterminada para configurar Vela como deseen. Algunas de las correcciones interrumpir\u00e1n los flujos de trabajo existentes y requerir\u00e1n que los administradores de Vela modifiquen la configuraci\u00f3n predeterminada. Sin embargo, no aplicar el parche (o workarounds) continuar\u00e1 la exposici\u00f3n al riesgo existente. Algunas soluciones est\u00e1n disponibles. Los administradores de Vela pueden ajustar la configuraci\u00f3n `VELA_RUNTIME_PRIVILEGED_IMAGES` del trabajador para que est\u00e9 expl\u00edcitamente vac\u00eda, aprovechar la configuraci\u00f3n `VELA_REPO_ALLOWLIST` en el componente del servidor para restringir el acceso a una lista de repositorios que pueden habilitarse y/o auditar los repositorios habilitados y deshabilitar pull_requests si no son necesarios.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\",\"baseScore\":9.6,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"ADJACENT_NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":6.0},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H\",\"baseScore\":9.9,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.1,\"impactScore\":6.0}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-269\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-269\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:go-vela:server:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"0.16.0\",\"matchCriteriaId\":\"92189644-4057-41AB-BF5A-BFA398413096\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:go-vela:ui:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"0.17.0\",\"matchCriteriaId\":\"EF033D57-F835-4EB7-9AA7-6D7B2F1E64BA\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:go-vela:worker:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"0.16.0\",\"matchCriteriaId\":\"16935176-86CA-42A1-826F-8881FC07AB8A\"}]}]}],\"references\":[{\"url\":\"https://docs.docker.com/engine/security/#docker-daemon-attack-surface\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Technical Description\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/go-vela/server/commit/05558ee99d70f7d6f83bed7c8f78ac0b35fa26f4\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/go-vela/server/releases/tag/v0.16.0\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Release Notes\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/go-vela/server/security/advisories/GHSA-5m7g-pj8w-7593\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://github.com/go-vela/ui/releases/tag/v0.17.0\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Release Notes\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/go-vela/ui/security/advisories/GHSA-xf39-98m2-889v\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://github.com/go-vela/worker/releases/tag/v0.16.0\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Release Notes\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/go-vela/worker/security/advisories/GHSA-2w78-ffv6-p46w\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://go-vela.github.io/docs/installation/server/reference/#vela_repo_allowlist\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://go-vela.github.io/docs/installation/worker/reference/#vela_runtime_privileged_images\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://docs.docker.com/engine/security/#docker-daemon-attack-surface\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Technical Description\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/go-vela/server/commit/05558ee99d70f7d6f83bed7c8f78ac0b35fa26f4\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/go-vela/server/releases/tag/v0.16.0\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Release Notes\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/go-vela/server/security/advisories/GHSA-5m7g-pj8w-7593\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://github.com/go-vela/ui/releases/tag/v0.17.0\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Release Notes\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/go-vela/ui/security/advisories/GHSA-xf39-98m2-889v\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://github.com/go-vela/worker/releases/tag/v0.16.0\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Release Notes\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/go-vela/worker/security/advisories/GHSA-2w78-ffv6-p46w\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://go-vela.github.io/docs/installation/server/reference/#vela_repo_allowlist\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://go-vela.github.io/docs/installation/worker/reference/#vela_runtime_privileged_images\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://github.com/go-vela/server/security/advisories/GHSA-5m7g-pj8w-7593\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://github.com/go-vela/ui/security/advisories/GHSA-xf39-98m2-889v\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://github.com/go-vela/worker/security/advisories/GHSA-2w78-ffv6-p46w\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://github.com/go-vela/server/commit/05558ee99d70f7d6f83bed7c8f78ac0b35fa26f4\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://docs.docker.com/engine/security/#docker-daemon-attack-surface\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://github.com/go-vela/server/releases/tag/v0.16.0\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://github.com/go-vela/ui/releases/tag/v0.17.0\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://github.com/go-vela/worker/releases/tag/v0.16.0\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://go-vela.github.io/docs/installation/server/reference/#vela_repo_allowlist\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://go-vela.github.io/docs/installation/worker/reference/#vela_runtime_privileged_images\", \"tags\": [\"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-03T12:07:41.884Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2022-39395\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-04-23T15:46:53.128029Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-04-23T15:46:54.675Z\"}}], \"cna\": {\"title\": \"Vela Insecure Defaults\", \"source\": {\"advisory\": \"GHSA-5m7g-pj8w-7593\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 9.6, \"attackVector\": \"ADJACENT_NETWORK\", \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"go-vela\", \"product\": \"server\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 0.16.0\"}, {\"status\": \"affected\", \"version\": \"\u003c 0.17.0\"}]}], \"references\": [{\"url\": \"https://github.com/go-vela/server/security/advisories/GHSA-5m7g-pj8w-7593\"}, {\"url\": \"https://github.com/go-vela/ui/security/advisories/GHSA-xf39-98m2-889v\"}, {\"url\": \"https://github.com/go-vela/worker/security/advisories/GHSA-2w78-ffv6-p46w\"}, {\"url\": \"https://github.com/go-vela/server/commit/05558ee99d70f7d6f83bed7c8f78ac0b35fa26f4\"}, {\"url\": \"https://docs.docker.com/engine/security/#docker-daemon-attack-surface\"}, {\"url\": \"https://github.com/go-vela/server/releases/tag/v0.16.0\"}, {\"url\": \"https://github.com/go-vela/ui/releases/tag/v0.17.0\"}, {\"url\": \"https://github.com/go-vela/worker/releases/tag/v0.16.0\"}, {\"url\": \"https://go-vela.github.io/docs/installation/server/reference/#vela_repo_allowlist\"}, {\"url\": \"https://go-vela.github.io/docs/installation/worker/reference/#vela_runtime_privileged_images\"}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Vela is a Pipeline Automation (CI/CD) framework built on Linux container technology written in Golang. In Vela Server and Vela Worker prior to version 0.16.0 and Vela UI prior to version 0.17.0, some default configurations for Vela allow exploitation and container breakouts. Users should upgrade to Server 0.16.0, Worker 0.16.0, and UI 0.17.0 to fix the issue. After upgrading, Vela administrators will need to explicitly change the default settings to configure Vela as desired. Some of the fixes will interrupt existing workflows and will require Vela administrators to modify default settings. However, not applying the patch (or workarounds) will continue existing risk exposure. Some workarounds are available. Vela administrators can adjust the worker\u0027s `VELA_RUNTIME_PRIVILEGED_IMAGES` setting to be explicitly empty, leverage the `VELA_REPO_ALLOWLIST` setting on the server component to restrict access to a list of repositories that are allowed to be enabled, and/or audit enabled repositories and disable pull_requests if they are not needed.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-269\", \"description\": \"CWE-269: Improper Privilege Management\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2022-11-10T00:00:00.000Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2022-39395\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-04-23T16:38:58.851Z\", \"dateReserved\": \"2022-09-02T00:00:00.000Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2022-11-10T00:00:00.000Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

FKIE_CVE-2022-39395

Vulnerability from fkie_nvd - Published: 2022-11-10 18:15 - Updated: 2024-11-21 07:18

Severity ?

9.6 (Critical) - CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
9.9 (Critical) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Summary

References

URL	Tags
security-advisories@github.com	https://docs.docker.com/engine/security/#docker-daemon-attack-surface	Technical Description, Third Party Advisory
security-advisories@github.com	https://github.com/go-vela/server/commit/05558ee99d70f7d6f83bed7c8f78ac0b35fa26f4	Patch, Third Party Advisory
security-advisories@github.com	https://github.com/go-vela/server/releases/tag/v0.16.0	Release Notes, Third Party Advisory
security-advisories@github.com	https://github.com/go-vela/server/security/advisories/GHSA-5m7g-pj8w-7593	Third Party Advisory
security-advisories@github.com	https://github.com/go-vela/ui/releases/tag/v0.17.0	Release Notes, Third Party Advisory
security-advisories@github.com	https://github.com/go-vela/ui/security/advisories/GHSA-xf39-98m2-889v	Third Party Advisory
security-advisories@github.com	https://github.com/go-vela/worker/releases/tag/v0.16.0	Release Notes, Third Party Advisory
security-advisories@github.com	https://github.com/go-vela/worker/security/advisories/GHSA-2w78-ffv6-p46w	Third Party Advisory
security-advisories@github.com	https://go-vela.github.io/docs/installation/server/reference/#vela_repo_allowlist	Vendor Advisory
security-advisories@github.com	https://go-vela.github.io/docs/installation/worker/reference/#vela_runtime_privileged_images	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://docs.docker.com/engine/security/#docker-daemon-attack-surface	Technical Description, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/go-vela/server/commit/05558ee99d70f7d6f83bed7c8f78ac0b35fa26f4	Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/go-vela/server/releases/tag/v0.16.0	Release Notes, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/go-vela/server/security/advisories/GHSA-5m7g-pj8w-7593	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/go-vela/ui/releases/tag/v0.17.0	Release Notes, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/go-vela/ui/security/advisories/GHSA-xf39-98m2-889v	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/go-vela/worker/releases/tag/v0.16.0	Release Notes, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/go-vela/worker/security/advisories/GHSA-2w78-ffv6-p46w	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://go-vela.github.io/docs/installation/server/reference/#vela_repo_allowlist	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://go-vela.github.io/docs/installation/worker/reference/#vela_runtime_privileged_images	Vendor Advisory

Impacted products

Vendor	Product	Version
go-vela	server	*
go-vela	ui	*
go-vela	worker	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:go-vela:server:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "92189644-4057-41AB-BF5A-BFA398413096",
              "versionEndExcluding": "0.16.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:go-vela:ui:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "EF033D57-F835-4EB7-9AA7-6D7B2F1E64BA",
              "versionEndExcluding": "0.17.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:go-vela:worker:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "16935176-86CA-42A1-826F-8881FC07AB8A",
              "versionEndExcluding": "0.16.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Vela is a Pipeline Automation (CI/CD) framework built on Linux container technology written in Golang. In Vela Server and Vela Worker prior to version 0.16.0 and Vela UI prior to version 0.17.0, some default configurations for Vela allow exploitation and container breakouts. Users should upgrade to Server 0.16.0, Worker 0.16.0, and UI 0.17.0 to fix the issue. After upgrading, Vela administrators will need to explicitly change the default settings to configure Vela as desired. Some of the fixes will interrupt existing workflows and will require Vela administrators to modify default settings. However, not applying the patch (or workarounds) will continue existing risk exposure. Some workarounds are available. Vela administrators can adjust the worker\u0027s `VELA_RUNTIME_PRIVILEGED_IMAGES` setting to be explicitly empty, leverage the `VELA_REPO_ALLOWLIST` setting on the server component to restrict access to a list of repositories that are allowed to be enabled, and/or audit enabled repositories and disable pull_requests if they are not needed."
    },
    {
      "lang": "es",
      "value": "Vela es un framework de Pipeline Automation (CI/CD) construido sobre tecnolog\u00eda de contenedores de Linux escrita en Golang. En Vela Server y Vela Worker anteriores a la versi\u00f3n 0.16.0 y Vela UI anteriores a la versi\u00f3n 0.17.0, algunas configuraciones predeterminadas para Vela permiten la explotaci\u00f3n y la ruptura de contenedores. Los usuarios deben actualizar a Server 0.16.0, Worker 0.16.0 y UI 0.17.0 para solucionar el problema. Despu\u00e9s de la actualizaci\u00f3n, los administradores de Vela deber\u00e1n cambiar expl\u00edcitamente la configuraci\u00f3n predeterminada para configurar Vela como deseen. Algunas de las correcciones interrumpir\u00e1n los flujos de trabajo existentes y requerir\u00e1n que los administradores de Vela modifiquen la configuraci\u00f3n predeterminada. Sin embargo, no aplicar el parche (o workarounds) continuar\u00e1 la exposici\u00f3n al riesgo existente. Algunas soluciones est\u00e1n disponibles. Los administradores de Vela pueden ajustar la configuraci\u00f3n `VELA_RUNTIME_PRIVILEGED_IMAGES` del trabajador para que est\u00e9 expl\u00edcitamente vac\u00eda, aprovechar la configuraci\u00f3n `VELA_REPO_ALLOWLIST` en el componente del servidor para restringir el acceso a una lista de repositorios que pueden habilitarse y/o auditar los repositorios habilitados y deshabilitar pull_requests si no son necesarios."
    }
  ],
  "id": "CVE-2022-39395",
  "lastModified": "2024-11-21T07:18:12.223",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "ADJACENT_NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.6,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 6.0,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.9,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.1,
        "impactScore": 6.0,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2022-11-10T18:15:10.690",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Technical Description",
        "Third Party Advisory"
      ],
      "url": "https://docs.docker.com/engine/security/#docker-daemon-attack-surface"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/go-vela/server/commit/05558ee99d70f7d6f83bed7c8f78ac0b35fa26f4"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Release Notes",
        "Third Party Advisory"
      ],
      "url": "https://github.com/go-vela/server/releases/tag/v0.16.0"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://github.com/go-vela/server/security/advisories/GHSA-5m7g-pj8w-7593"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Release Notes",
        "Third Party Advisory"
      ],
      "url": "https://github.com/go-vela/ui/releases/tag/v0.17.0"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://github.com/go-vela/ui/security/advisories/GHSA-xf39-98m2-889v"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Release Notes",
        "Third Party Advisory"
      ],
      "url": "https://github.com/go-vela/worker/releases/tag/v0.16.0"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://github.com/go-vela/worker/security/advisories/GHSA-2w78-ffv6-p46w"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://go-vela.github.io/docs/installation/server/reference/#vela_repo_allowlist"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://go-vela.github.io/docs/installation/worker/reference/#vela_runtime_privileged_images"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Technical Description",
        "Third Party Advisory"
      ],
      "url": "https://docs.docker.com/engine/security/#docker-daemon-attack-surface"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/go-vela/server/commit/05558ee99d70f7d6f83bed7c8f78ac0b35fa26f4"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Release Notes",
        "Third Party Advisory"
      ],
      "url": "https://github.com/go-vela/server/releases/tag/v0.16.0"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://github.com/go-vela/server/security/advisories/GHSA-5m7g-pj8w-7593"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Release Notes",
        "Third Party Advisory"
      ],
      "url": "https://github.com/go-vela/ui/releases/tag/v0.17.0"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://github.com/go-vela/ui/security/advisories/GHSA-xf39-98m2-889v"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Release Notes",
        "Third Party Advisory"
      ],
      "url": "https://github.com/go-vela/worker/releases/tag/v0.16.0"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://github.com/go-vela/worker/security/advisories/GHSA-2w78-ffv6-p46w"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://go-vela.github.io/docs/installation/server/reference/#vela_repo_allowlist"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://go-vela.github.io/docs/installation/worker/reference/#vela_runtime_privileged_images"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-269"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-269"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

GSD-2022-39395

Vulnerability from gsd - Updated: 2023-12-13 01:19

Details

Aliases

CVE-2022-39395

Aliases

CVE-2022-39395

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2022-39395",
    "description": "Vela is a Pipeline Automation (CI/CD) framework built on Linux container technology written in Golang. In Vela Server and Vela Worker prior to version 0.16.0 and Vela UI prior to version 0.17.0, some default configurations for Vela allow exploitation and container breakouts. Users should upgrade to Server 0.16.0, Worker 0.16.0, and UI 0.17.0 to fix the issue. After upgrading, Vela administrators will need to explicitly change the default settings to configure Vela as desired. Some of the fixes will interrupt existing workflows and will require Vela administrators to modify default settings. However, not applying the patch (or workarounds) will continue existing risk exposure. Some workarounds are available. Vela administrators can adjust the worker\u0027s `VELA_RUNTIME_PRIVILEGED_IMAGES` setting to be explicitly empty, leverage the `VELA_REPO_ALLOWLIST` setting on the server component to restrict access to a list of repositories that are allowed to be enabled, and/or audit enabled repositories and disable pull_requests if they are not needed.",
    "id": "GSD-2022-39395"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2022-39395"
      ],
      "details": "Vela is a Pipeline Automation (CI/CD) framework built on Linux container technology written in Golang. In Vela Server and Vela Worker prior to version 0.16.0 and Vela UI prior to version 0.17.0, some default configurations for Vela allow exploitation and container breakouts. Users should upgrade to Server 0.16.0, Worker 0.16.0, and UI 0.17.0 to fix the issue. After upgrading, Vela administrators will need to explicitly change the default settings to configure Vela as desired. Some of the fixes will interrupt existing workflows and will require Vela administrators to modify default settings. However, not applying the patch (or workarounds) will continue existing risk exposure. Some workarounds are available. Vela administrators can adjust the worker\u0027s `VELA_RUNTIME_PRIVILEGED_IMAGES` setting to be explicitly empty, leverage the `VELA_REPO_ALLOWLIST` setting on the server component to restrict access to a list of repositories that are allowed to be enabled, and/or audit enabled repositories and disable pull_requests if they are not needed.",
      "id": "GSD-2022-39395",
      "modified": "2023-12-13T01:19:20.422790Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security-advisories@github.com",
        "ID": "CVE-2022-39395",
        "STATE": "PUBLIC",
        "TITLE": "Vela Insecure Defaults"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "server",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "\u003c 0.16.0"
                        },
                        {
                          "version_value": "\u003c 0.17.0"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "go-vela"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Vela is a Pipeline Automation (CI/CD) framework built on Linux container technology written in Golang. In Vela Server and Vela Worker prior to version 0.16.0 and Vela UI prior to version 0.17.0, some default configurations for Vela allow exploitation and container breakouts. Users should upgrade to Server 0.16.0, Worker 0.16.0, and UI 0.17.0 to fix the issue. After upgrading, Vela administrators will need to explicitly change the default settings to configure Vela as desired. Some of the fixes will interrupt existing workflows and will require Vela administrators to modify default settings. However, not applying the patch (or workarounds) will continue existing risk exposure. Some workarounds are available. Vela administrators can adjust the worker\u0027s `VELA_RUNTIME_PRIVILEGED_IMAGES` setting to be explicitly empty, leverage the `VELA_REPO_ALLOWLIST` setting on the server component to restrict access to a list of repositories that are allowed to be enabled, and/or audit enabled repositories and disable pull_requests if they are not needed."
          }
        ]
      },
      "impact": {
        "cvss": {
          "attackComplexity": "LOW",
          "attackVector": "ADJACENT",
          "availabilityImpact": "HIGH",
          "baseScore": 9.6,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
          "version": "3.1"
        }
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "CWE-269: Improper Privilege Management"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://github.com/go-vela/server/security/advisories/GHSA-5m7g-pj8w-7593",
            "refsource": "CONFIRM",
            "url": "https://github.com/go-vela/server/security/advisories/GHSA-5m7g-pj8w-7593"
          },
          {
            "name": "https://github.com/go-vela/ui/security/advisories/GHSA-xf39-98m2-889v",
            "refsource": "MISC",
            "url": "https://github.com/go-vela/ui/security/advisories/GHSA-xf39-98m2-889v"
          },
          {
            "name": "https://github.com/go-vela/worker/security/advisories/GHSA-2w78-ffv6-p46w",
            "refsource": "MISC",
            "url": "https://github.com/go-vela/worker/security/advisories/GHSA-2w78-ffv6-p46w"
          },
          {
            "name": "https://github.com/go-vela/server/commit/05558ee99d70f7d6f83bed7c8f78ac0b35fa26f4",
            "refsource": "MISC",
            "url": "https://github.com/go-vela/server/commit/05558ee99d70f7d6f83bed7c8f78ac0b35fa26f4"
          },
          {
            "name": "https://docs.docker.com/engine/security/#docker-daemon-attack-surface",
            "refsource": "MISC",
            "url": "https://docs.docker.com/engine/security/#docker-daemon-attack-surface"
          },
          {
            "name": "https://github.com/go-vela/server/releases/tag/v0.16.0",
            "refsource": "MISC",
            "url": "https://github.com/go-vela/server/releases/tag/v0.16.0"
          },
          {
            "name": "https://github.com/go-vela/ui/releases/tag/v0.17.0",
            "refsource": "MISC",
            "url": "https://github.com/go-vela/ui/releases/tag/v0.17.0"
          },
          {
            "name": "https://github.com/go-vela/worker/releases/tag/v0.16.0",
            "refsource": "MISC",
            "url": "https://github.com/go-vela/worker/releases/tag/v0.16.0"
          },
          {
            "name": "https://go-vela.github.io/docs/installation/server/reference/#vela_repo_allowlist",
            "refsource": "MISC",
            "url": "https://go-vela.github.io/docs/installation/server/reference/#vela_repo_allowlist"
          },
          {
            "name": "https://go-vela.github.io/docs/installation/worker/reference/#vela_runtime_privileged_images",
            "refsource": "MISC",
            "url": "https://go-vela.github.io/docs/installation/worker/reference/#vela_runtime_privileged_images"
          }
        ]
      },
      "source": {
        "advisory": "GHSA-5m7g-pj8w-7593",
        "discovery": "UNKNOWN"
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "\u003cv0.16.0",
          "affected_versions": "All versions before 0.16.0",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
          "cwe_ids": [
            "CWE-1035",
            "CWE-269",
            "CWE-937"
          ],
          "date": "2022-11-17",
          "description": "Vela is a Pipeline Automation (CI/CD) framework built on Linux container technology written in Golang. In Vela Server and Vela Worker prior to version 0.16.0 and Vela UI prior to version 0.17.0, some default configurations for Vela allow exploitation and container breakouts. Users should upgrade to Server 0.16.0, Worker 0.16.0, and UI 0.17.0 to fix the issue. After upgrading, Vela administrators will need to explicitly change the default settings to configure Vela as desired. Some of the fixes will interrupt existing workflows and will require Vela administrators to modify default settings. However, not applying the patch (or workarounds) will continue existing risk exposure. Some workarounds are available. Vela administrators can adjust the worker\u0027s `VELA_RUNTIME_PRIVILEGED_IMAGES` setting to be explicitly empty, leverage the `VELA_REPO_ALLOWLIST` setting on the server component to restrict access to a list of repositories that are allowed to be enabled, and/or audit enabled repositories and disable pull_requests if they are not needed.",
          "fixed_versions": [
            "v0.16.0"
          ],
          "identifier": "CVE-2022-39395",
          "identifiers": [
            "CVE-2022-39395",
            "GHSA-5m7g-pj8w-7593",
            "GHSA-xf39-98m2-889v",
            "GHSA-2w78-ffv6-p46w",
            "GMS-2022-6556"
          ],
          "not_impacted": "",
          "package_slug": "go/github.com/go-vela/server",
          "pubdate": "2022-11-10",
          "solution": "Upgrade to version 0.16.0 or above.",
          "title": "Improper Privilege Management",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2022-39395",
            "https://go-vela.github.io/docs/installation/server/reference/#vela_repo_allowlist",
            "https://github.com/go-vela/worker/releases/tag/v0.16.0",
            "https://github.com/go-vela/server/commit/05558ee99d70f7d6f83bed7c8f78ac0b35fa26f4",
            "https://docs.docker.com/engine/security/#docker-daemon-attack-surface",
            "https://github.com/go-vela/ui/releases/tag/v0.17.0",
            "https://github.com/go-vela/server/security/advisories/GHSA-5m7g-pj8w-7593",
            "https://go-vela.github.io/docs/installation/worker/reference/#vela_runtime_privileged_images",
            "https://github.com/go-vela/ui/security/advisories/GHSA-xf39-98m2-889v",
            "https://github.com/go-vela/worker/security/advisories/GHSA-2w78-ffv6-p46w",
            "https://github.com/go-vela/server/releases/tag/v0.16.0",
            "https://advisory-inbox.githubapp.com/advisory_reviews/GHSA-xf39-98m2-889v",
            "https://github.com/advisories/GHSA-5m7g-pj8w-7593"
          ],
          "uuid": "f2fd47fa-40c6-4fee-8352-2234b297c723",
          "versions": [
            {
              "commit": {
                "sha": "e972584299eb9989525aa62df9438d9bd60429f1",
                "tags": [
                  "v0.16.0"
                ],
                "timestamp": "20221109161535"
              },
              "number": "v0.16.0"
            }
          ]
        },
        {
          "affected_range": "\u003c0",
          "affected_versions": "All versions before 0.16.0",
          "cwe_ids": [
            "CWE-1035",
            "CWE-937"
          ],
          "date": "2022-11-09",
          "description": "Some current default configurations for Vela allow exploitation and container breakouts. Running Vela plugins as privileged Docker containers allows a malicious user to easily break out of the container and gain access to the worker host operating system. On a fresh install of Vela without any additional configuration, the `target/vela-docker` plugin will run as a privileged container, even if the Vela administrators did not intend to allow for any privileged plugins, and even if the vela.yml configuration file does not use the `privileged = True` flag. Privileged containers permit trivial breakouts, which can pose significant risk to the environment in which Vela is running.",
          "fixed_versions": [
            "v0.16.0"
          ],
          "identifier": "GMS-2022-6556",
          "identifiers": [
            "GHSA-5m7g-pj8w-7593",
            "GMS-2022-6556",
            "CVE-2022-39395"
          ],
          "not_impacted": "All versions starting from 0.16.0",
          "package_slug": "go/github.com/go-vela/server",
          "pubdate": "2022-11-09",
          "solution": "Upgrade to version 0.16.0 or above.",
          "title": "Duplicate of ./go/github.com/go-vela/server/CVE-2022-39395.yml",
          "urls": [
            "https://github.com/go-vela/server/security/advisories/GHSA-5m7g-pj8w-7593",
            "https://github.com/go-vela/server/commit/05558ee99d70f7d6f83bed7c8f78ac0b35fa26f4",
            "https://advisory-inbox.githubapp.com/advisory_reviews/GHSA-xf39-98m2-889v",
            "https://docs.docker.com/engine/security/#docker-daemon-attack-surface",
            "https://github.com/go-vela/server/releases/tag/v0.16.0",
            "https://github.com/advisories/GHSA-5m7g-pj8w-7593"
          ],
          "uuid": "bf934b13-e9de-4cd7-8253-548b5aaa1cd1",
          "versions": [
            {
              "commit": {
                "sha": "e972584299eb9989525aa62df9438d9bd60429f1",
                "tags": [
                  "v0.16.0"
                ],
                "timestamp": "20221109161535"
              },
              "number": "v0.16.0"
            }
          ]
        },
        {
          "affected_range": "\u003cv0.16.0",
          "affected_versions": "All versions before 0.16.0",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
          "cwe_ids": [
            "CWE-1035",
            "CWE-269",
            "CWE-937"
          ],
          "date": "2022-11-17",
          "description": "Vela is a Pipeline Automation (CI/CD) framework built on Linux container technology written in Golang. In Vela Server and Vela Worker prior to version 0.16.0 and Vela UI prior to version 0.17.0, some default configurations for Vela allow exploitation and container breakouts. Users should upgrade to Server 0.16.0, Worker 0.16.0, and UI 0.17.0 to fix the issue. After upgrading, Vela administrators will need to explicitly change the default settings to configure Vela as desired. Some of the fixes will interrupt existing workflows and will require Vela administrators to modify default settings. However, not applying the patch (or workarounds) will continue existing risk exposure. Some workarounds are available. Vela administrators can adjust the worker\u0027s `VELA_RUNTIME_PRIVILEGED_IMAGES` setting to be explicitly empty, leverage the `VELA_REPO_ALLOWLIST` setting on the server component to restrict access to a list of repositories that are allowed to be enabled, and/or audit enabled repositories and disable pull_requests if they are not needed.",
          "fixed_versions": [
            "v0.16.0"
          ],
          "identifier": "CVE-2022-39395",
          "identifiers": [
            "CVE-2022-39395",
            "GHSA-5m7g-pj8w-7593",
            "GHSA-xf39-98m2-889v",
            "GHSA-2w78-ffv6-p46w",
            "GMS-2022-6557"
          ],
          "not_impacted": "All versions after 0.16.0",
          "package_slug": "go/github.com/go-vela/worker",
          "pubdate": "2022-11-10",
          "solution": "Upgrade to version 0.16.0 or above.",
          "title": "Improper Privilege Management",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2022-39395",
            "https://go-vela.github.io/docs/installation/server/reference/#vela_repo_allowlist",
            "https://github.com/go-vela/worker/releases/tag/v0.16.0",
            "https://github.com/go-vela/server/commit/05558ee99d70f7d6f83bed7c8f78ac0b35fa26f4",
            "https://docs.docker.com/engine/security/#docker-daemon-attack-surface",
            "https://github.com/go-vela/ui/releases/tag/v0.17.0",
            "https://github.com/go-vela/server/security/advisories/GHSA-5m7g-pj8w-7593",
            "https://go-vela.github.io/docs/installation/worker/reference/#vela_runtime_privileged_images",
            "https://github.com/go-vela/ui/security/advisories/GHSA-xf39-98m2-889v",
            "https://github.com/go-vela/worker/security/advisories/GHSA-2w78-ffv6-p46w",
            "https://github.com/go-vela/server/releases/tag/v0.16.0",
            "https://advisory-inbox.githubapp.com/advisory_reviews/GHSA-xf39-98m2-889v",
            "https://github.com/advisories/GHSA-5m7g-pj8w-7593"
          ],
          "uuid": "3eaaef7c-b948-4824-9fd1-d914e0607e3a",
          "versions": [
            {
              "commit": {
                "sha": "31964ee6a79c70cc4a9b5927e7f7573a71762148",
                "tags": [
                  "v0.16.0"
                ],
                "timestamp": "20221109163243"
              },
              "number": "v0.16.0"
            }
          ]
        },
        {
          "affected_range": "\u003c0",
          "affected_versions": "All versions before 0.16.0",
          "cwe_ids": [
            "CWE-1035",
            "CWE-937"
          ],
          "date": "2022-11-09",
          "description": "Some current default configurations for Vela allow exploitation and container breakouts. Running Vela plugins as privileged Docker containers allows a malicious user to easily break out of the container and gain access to the worker host operating system. On a fresh install of Vela without any additional configuration, the `target/vela-docker` plugin will run as a privileged container, even if the Vela administrators did not intend to allow for any privileged plugins, and even if the vela.yml configuration file does not use the privileged = True flag. Privileged containers permit trivial breakouts, which can pose significant risk to the environment in which Vela is running.",
          "fixed_versions": [
            "v0.16.0"
          ],
          "identifier": "GMS-2022-6557",
          "identifiers": [
            "GHSA-5m7g-pj8w-7593",
            "GMS-2022-6557",
            "CVE-2022-39395"
          ],
          "not_impacted": "All versions starting from 0.16.0",
          "package_slug": "go/github.com/go-vela/worker",
          "pubdate": "2022-11-09",
          "solution": "Upgrade to version 0.16.0 or above.",
          "title": "Duplicate of ./go/github.com/go-vela/worker/CVE-2022-39395.yml",
          "urls": [
            "https://github.com/go-vela/worker/security/advisories/GHSA-2w78-ffv6-p46w",
            "https://advisory-inbox.githubapp.com/advisory_reviews/GHSA-xf39-98m2-889v",
            "https://docs.docker.com/engine/security/#docker-daemon-attack-surface",
            "https://github.com/go-vela/server/releases/tag/v0.16.0",
            "https://github.com/advisories/GHSA-5m7g-pj8w-7593"
          ],
          "uuid": "f74c96ee-e225-45c7-9ac7-edad494c6146",
          "versions": [
            {
              "commit": {
                "sha": "31964ee6a79c70cc4a9b5927e7f7573a71762148",
                "tags": [
                  "v0.16.0"
                ],
                "timestamp": "20221109163243"
              },
              "number": "v0.16.0"
            }
          ]
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:go-vela:ui:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "0.17.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:go-vela:worker:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "0.16.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:go-vela:server:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "0.16.0",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2022-39395"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "Vela is a Pipeline Automation (CI/CD) framework built on Linux container technology written in Golang. In Vela Server and Vela Worker prior to version 0.16.0 and Vela UI prior to version 0.17.0, some default configurations for Vela allow exploitation and container breakouts. Users should upgrade to Server 0.16.0, Worker 0.16.0, and UI 0.17.0 to fix the issue. After upgrading, Vela administrators will need to explicitly change the default settings to configure Vela as desired. Some of the fixes will interrupt existing workflows and will require Vela administrators to modify default settings. However, not applying the patch (or workarounds) will continue existing risk exposure. Some workarounds are available. Vela administrators can adjust the worker\u0027s `VELA_RUNTIME_PRIVILEGED_IMAGES` setting to be explicitly empty, leverage the `VELA_REPO_ALLOWLIST` setting on the server component to restrict access to a list of repositories that are allowed to be enabled, and/or audit enabled repositories and disable pull_requests if they are not needed."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-269"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://go-vela.github.io/docs/installation/server/reference/#vela_repo_allowlist",
              "refsource": "MISC",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "https://go-vela.github.io/docs/installation/server/reference/#vela_repo_allowlist"
            },
            {
              "name": "https://github.com/go-vela/worker/releases/tag/v0.16.0",
              "refsource": "MISC",
              "tags": [
                "Release Notes",
                "Third Party Advisory"
              ],
              "url": "https://github.com/go-vela/worker/releases/tag/v0.16.0"
            },
            {
              "name": "https://github.com/go-vela/server/commit/05558ee99d70f7d6f83bed7c8f78ac0b35fa26f4",
              "refsource": "MISC",
              "tags": [
                "Patch",
                "Third Party Advisory"
              ],
              "url": "https://github.com/go-vela/server/commit/05558ee99d70f7d6f83bed7c8f78ac0b35fa26f4"
            },
            {
              "name": "https://docs.docker.com/engine/security/#docker-daemon-attack-surface",
              "refsource": "MISC",
              "tags": [
                "Technical Description",
                "Third Party Advisory"
              ],
              "url": "https://docs.docker.com/engine/security/#docker-daemon-attack-surface"
            },
            {
              "name": "https://github.com/go-vela/ui/releases/tag/v0.17.0",
              "refsource": "MISC",
              "tags": [
                "Release Notes",
                "Third Party Advisory"
              ],
              "url": "https://github.com/go-vela/ui/releases/tag/v0.17.0"
            },
            {
              "name": "https://github.com/go-vela/server/security/advisories/GHSA-5m7g-pj8w-7593",
              "refsource": "CONFIRM",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://github.com/go-vela/server/security/advisories/GHSA-5m7g-pj8w-7593"
            },
            {
              "name": "https://go-vela.github.io/docs/installation/worker/reference/#vela_runtime_privileged_images",
              "refsource": "MISC",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "https://go-vela.github.io/docs/installation/worker/reference/#vela_runtime_privileged_images"
            },
            {
              "name": "https://github.com/go-vela/ui/security/advisories/GHSA-xf39-98m2-889v",
              "refsource": "MISC",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://github.com/go-vela/ui/security/advisories/GHSA-xf39-98m2-889v"
            },
            {
              "name": "https://github.com/go-vela/worker/security/advisories/GHSA-2w78-ffv6-p46w",
              "refsource": "MISC",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://github.com/go-vela/worker/security/advisories/GHSA-2w78-ffv6-p46w"
            },
            {
              "name": "https://github.com/go-vela/server/releases/tag/v0.16.0",
              "refsource": "MISC",
              "tags": [
                "Release Notes",
                "Third Party Advisory"
              ],
              "url": "https://github.com/go-vela/server/releases/tag/v0.16.0"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.9,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.1"
          },
          "exploitabilityScore": 3.1,
          "impactScore": 6.0
        }
      },
      "lastModifiedDate": "2022-11-17T16:45Z",
      "publishedDate": "2022-11-10T18:15Z"
    }
  }
}

GHSA-5M7G-PJ8W-7593

Vulnerability from github – Published: 2022-11-09 19:17 – Updated: 2024-09-06 21:33

Summary

Vela Insecure Defaults

Details

Impact

Some current default configurations for Vela allow exploitation and container breakouts.

Default Privileged Images

Running Vela plugins as privileged Docker containers allows a malicious user to easily break out of the container and gain access to the worker host operating system. On a fresh install of Vela without any additional configuration, the target/vela-docker plugin will run as a privileged container, even if the Vela administrators did not intend to allow for any privileged plugins, and even if the vela.yml configuration file does not use the privileged = True flag.

Privileged containers permit trivial breakouts, which can pose significant risk to the environment in which Vela is running.

Default Allowed Repositories

On a fresh install of Vela, anyone with a GitHub account (or other enabled source control management solution) is allowed to enable a repository within Vela and run builds. This means that, if a Vela instance is accessible to the public, a third party could add their own malicious repos to the Vela instance and run arbitrary code.

An example of a publicly accessible Vela instance would be one not protected behind a VPN. Whether Vela is publicly accessible depends on how Vela is set up, NOT how it is connected to GitHub.

Default Enabled Events allows Pull Requests

By default, Vela currently enables pull request events when a repository is Vela-enabled. Unless this default was changed when enabling each repository, anyone who can issue a pull request against a repository can trigger a Vela job.

This not only permits a third party to run arbitrary code in a Vela environment, but also poses an additional risk when secrets within Vela are configured to be available in pull requests, permitting anyone with access to create pull requests to access these secrets.

Patches

Upgrade to 0.16.0 or later. After upgrading, Vela administrators will need to explicitly change the default settings to configure Vela as desired.

Some of the fixes will interrupt existing workflows and will require Vela administrators to modify default settings (see release notes for more information). However, not applying the patch (or workarounds) will continue existing risk exposure.

Workarounds

Default Privileged Images

Instead of upgrading, the Vela administrators can adjust the worker's VELA_RUNTIME_PRIVILEGED_IMAGES setting to be explicitly empty:

VELA_RUNTIME_PRIVILEGED_IMAGES=""

By assigning VELA_RUNTIME_PRIVILEGED_IMAGES to an empty value it disallows any images from running as privileged containers in Vela.

Default Allowed Repositories

Instead of upgrading, the Vela administrators can leverage the VELA_REPO_ALLOWLIST setting on the server component to restrict access to a list of repositories that are allowed to be enabled.

By changing it from the default empty list (currently interpreted by Vela as "all repositories") to a list explicitly allowing specific repositories, Vela administrators can control what repositories are allowed to be enabled in Vela.

Vela's current default list of approved repositories that can be added to a Vela instance is an empty list. However this is currently interpreted as allowing all repositories.

In the updated version, a null value (the empty list) will be interpreted as permitting no repositories to be added to a Vela instance.

Default Enabled Events allows Pull Requests

Audit enabled repositories and disable pull_requests if they are not needed.

Instead of upgrading, the pull request trigger can be disabled on a per-repository basis.

Additional protection can be provided by preventing unauthorized users from submitting pull requests in GitHub (or other source control management solution).

Residual Risk

Default Privileged Images

After applying the update, any repos that Vela administrators manually define as "trusted repos" will be able to run the manually-specified images that are allowed to run as privileged. Those repos will continue to be vulnerable to breakout, but applying the update will help protect against the risk of trivial breakout arising from an image running as a privileged container.

The recommendation is to utilize plugins that do not require privileged capabilities.

For example, utilize target/vela-kaniko instead of target/vela-docker as the Kaniko plugin does not require privileged access.

Default Allowed Repositories

Applying this update (or workaround) will protect against the risk of Vela interpreting the default empty list of approved repositories as "all repositories" rather than "no repositories" (the current default).

Default Enabled Events allows Pull Requests

Since this change only impacts newly enabled repositories, the update will not address the risk to existing enabled repositories resulting from Vela enabling pull request events when a repository is Vela-enabled.

Additionally, this change only impacts defaults; users can still configure their repositories to allow pull requests as triggering events.

In order to monitor risk going forward, refer to the Workaround section with the heading Default Enabled Events allows Pull Requests.

For more information

If you have any questions or comments about this advisory: * Email us at vela@target.com

Affected products: go-vela/worker, go-vela/server, go-vela/ui, go-vela/documentation

Severity ?

9.9 (Critical)


                  
                    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/go-vela/server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.16.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/go-vela/worker"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.16.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-39395"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-269"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-11-09T19:17:21Z",
    "nvd_published_at": "2022-11-10T18:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "### Impact\nSome current default configurations for Vela allow exploitation and container breakouts.\n\n#### Default Privileged Images\n\nRunning Vela plugins as privileged Docker containers allows a malicious user to easily break out of the container and gain access to the worker host operating system. On a fresh install of Vela without any additional configuration, the `target/vela-docker` plugin will run as a privileged container, even if the Vela administrators did not intend to allow for any privileged plugins, and even if the `vela.yml` configuration file does not use the `privileged = True` flag.\n\nPrivileged containers permit trivial breakouts, which can pose significant risk to the environment in which Vela is running.\n\n#### Default Allowed Repositories\n\nOn a fresh install of Vela, anyone with a GitHub account (or other enabled source control management solution) is allowed to enable a repository within Vela and run builds. This means that, if a Vela instance is accessible to the public, a third party could add their own malicious repos to the Vela instance and run arbitrary code.\n\nAn example of a publicly accessible Vela instance would be one not protected behind a VPN. Whether Vela is publicly accessible depends on how Vela is set up, NOT how it is connected to GitHub.\n\n#### Default Enabled Events allows Pull Requests\n\nBy default, Vela currently enables pull request events when a repository is Vela-enabled. Unless this default was changed when enabling each repository, anyone who can issue a pull request against a repository can trigger a Vela job.\n\nThis not only permits a third party to run arbitrary code in a Vela environment, but also poses an additional risk when secrets within Vela are configured to be available in pull requests, permitting anyone with access to create pull requests to access these secrets.\n\n### Patches\n\nUpgrade to 0.16.0 or later. After upgrading, Vela administrators will need to explicitly change the default settings to configure Vela as desired.\n\nSome of the fixes will interrupt existing workflows and will require Vela administrators to modify default settings (see release notes for more information). However, not applying the patch (or workarounds) will continue existing risk exposure.\n\n### Workarounds\n\n#### Default Privileged Images\n\nInstead of upgrading, the Vela administrators can adjust the worker\u0027s `VELA_RUNTIME_PRIVILEGED_IMAGES` setting to be explicitly empty:\n\n`VELA_RUNTIME_PRIVILEGED_IMAGES=\"\"`\n\nBy assigning `VELA_RUNTIME_PRIVILEGED_IMAGES` to an empty value it disallows any images from running as privileged containers in Vela.\n\n#### Default Allowed Repositories\n\nInstead of upgrading, the Vela administrators can leverage the `VELA_REPO_ALLOWLIST` setting on the server component to restrict access to a list of repositories that are allowed to be enabled.\n\nBy changing it from the default empty list (currently interpreted by Vela as \"all repositories\") to a list explicitly allowing specific repositories, Vela administrators can control what repositories are allowed to be enabled in Vela.\n\nVela\u0027s current default list of approved repositories that can be added to a Vela instance is an empty list. However this is currently interpreted as allowing all repositories.\n\nIn the updated version, a null value (the empty list) will be interpreted as permitting no repositories to be added to a Vela instance.\n\n#### Default Enabled Events allows Pull Requests\n\nAudit enabled repositories and disable `pull_requests` if they are not needed.\n\nInstead of upgrading, the pull request trigger can be disabled on a per-repository basis.\n\nAdditional protection can be provided by preventing unauthorized users from submitting pull requests in GitHub (or other source control management solution).\n\n### Residual Risk\n\n#### Default Privileged Images\n\nAfter applying the update, any repos that Vela administrators manually define as \"trusted repos\" will be able to run the manually-specified images that are allowed to run as privileged. Those repos will continue to be vulnerable to breakout, but applying the update will help protect against the risk of trivial breakout arising from an image running as a privileged container.\n\nThe recommendation is to utilize plugins that do not require privileged capabilities.\n\nFor example, utilize `target/vela-kaniko` instead of `target/vela-docker` as the Kaniko plugin does not require privileged access.\n\n#### Default Allowed Repositories\n\nApplying this update (or workaround) will protect against the risk of Vela interpreting the default empty list of approved repositories as \"all repositories\" rather than \"no repositories\" (the current default).\n\n#### Default Enabled Events allows Pull Requests\n\nSince this change only impacts newly enabled repositories, the update will not address the risk to existing enabled repositories resulting from Vela enabling pull request events when a repository is Vela-enabled.\n\nAdditionally, this change only impacts defaults; users can still configure their repositories to allow pull requests as triggering events.\n\nIn order to monitor risk going forward, refer to the `Workaround` section with the heading `Default Enabled Events allows Pull Requests`.\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Email us at [vela@target.com](mailto:vela@target.com)\n\nAffected products: `go-vela/worker`, `go-vela/server`, `go-vela/ui`, `go-vela/documentation`",
  "id": "GHSA-5m7g-pj8w-7593",
  "modified": "2024-09-06T21:33:41Z",
  "published": "2022-11-09T19:17:21Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/go-vela/server/security/advisories/GHSA-5m7g-pj8w-7593"
    },
    {
      "type": "WEB",
      "url": "https://github.com/go-vela/ui/security/advisories/GHSA-xf39-98m2-889v"
    },
    {
      "type": "WEB",
      "url": "https://github.com/go-vela/worker/security/advisories/GHSA-2w78-ffv6-p46w"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-39395"
    },
    {
      "type": "WEB",
      "url": "https://github.com/go-vela/server/commit/05558ee99d70f7d6f83bed7c8f78ac0b35fa26f4"
    },
    {
      "type": "WEB",
      "url": "https://docs.docker.com/engine/security/#docker-daemon-attack-surface"
    },
    {
      "type": "WEB",
      "url": "https://github.com/go-vela/server/releases/tag/v0.16.0"
    },
    {
      "type": "WEB",
      "url": "https://github.com/go-vela/ui/releases/tag/v0.17.0"
    },
    {
      "type": "WEB",
      "url": "https://github.com/go-vela/worker/releases/tag/v0.16.0"
    },
    {
      "type": "WEB",
      "url": "https://go-vela.github.io/docs/installation/server/reference/#vela_repo_allowlist"
    },
    {
      "type": "WEB",
      "url": "https://go-vela.github.io/docs/installation/worker/reference/#vela_runtime_privileged_images"
    },
    {
      "type": "WEB",
      "url": "https://pkg.go.dev/vuln/GO-2022-1100"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Vela Insecure Defaults"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2022-39395 (GCVE-0-2022-39395)

FKIE_CVE-2022-39395

GSD-2022-39395

GHSA-5M7G-PJ8W-7593

Impact

Default Privileged Images

Default Allowed Repositories

Default Enabled Events allows Pull Requests

Patches

Workarounds

Default Privileged Images

Default Allowed Repositories

Default Enabled Events allows Pull Requests

Residual Risk

Default Privileged Images

Default Allowed Repositories

Default Enabled Events allows Pull Requests

For more information

Tags

Sightings

Nomenclature