CVE-2024-41122 Custom environment variables allow to alter execution flow of plugins in Woodpecker

2024-07-1919:58:41

CWE-74

GitHub_M

www.cve.org

cve-2024-41122

custom environment variables

alter execution flow

woodpecker

server vulnerability

host takeover

extract secrets

release version 2.7.0

upgrade

no known workarounds

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS

Percentile

16.0%

JSON

Woodpecker is a simple yet powerful CI/CD engine with great extensibility. The server allow to create any user who can trigger a pipeline run malicious workflows: 1. Those workflows can either lead to a host takeover that runs the agent executing the workflow. 2. Or allow to extract the secrets who would be normally provided to the plugins who’s entrypoint are overwritten. This issue has been addressed in release version 2.7.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.

CNA Affected

[
  {
    "vendor": "woodpecker-ci",
    "product": "woodpecker",
    "versions": [
      {
        "version": "< 2.7.0",
        "status": "affected"
      }
    ]
  }
]