Exposure of server configuration in github.com/go-vela/server

Impact

What kind of vulnerability is it? Who is impacted?

• The ability to expose configuration set in the Vela server via pipeline template functionality.
• It impacts all users of Vela.

Sample of template exposing server configuration using Sprig’s env function:

metadata:
  template: true

steps:
  - name: sample
    image: alpine:latest
    commands:
      # OAuth client ID for Vela <-> GitHub communication
      - echo {{ env "VELA_SOURCE_CLIENT" }}
      # secret used for server <-> worker communication
      - echo {{ env "VELA_SECRET" }}

Patches

Has the problem been patched? What versions should users upgrade to?

• Upgrade to 0.6.1

Additional Recommended Action(s)

• Rotate all secrets

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

• No

For more information

If you have any questions or comments about this advisory:

• Email us at [email protected]