GHSA-V8MX-HP2Q-GW85 Golang SDK for Vela Insecure Variable Substitution

Impact Vela pipelines can use variable substitution combined with insensitive fields like parameters, image and entrypoint to inject secrets into a plugin/image and — by using common substitution string manipulation — can bypass log masking and expose secrets without the use of the commands block...

Server/API for Vela Insecure Variable Substitution

Impact Vela pipelines can use variable substitution combined with insensitive fields like parameters, image and entrypoint to inject secrets into a plugin/image and — by using common substitution string manipulation — can bypass log masking and expose secrets without the use of the commands block...

CVE-2022-39395

CVE-2022-39395 : Vela’s default configuration allows container breakout in Vela Server/Worker (pre-0.16.0) and Vela UI (pre-0.17.0). Upgrading to Server 0.16.0, Worker 0.16.0, and UI 0.17.0 is required to fix the issue; after patching, admins must explicitly adjust defaults to their desired confi...

PT-2022-24954 · Vela Ui +2 · Vela Ui +3

Name of the Vulnerable Software and Affected Versions: Vela Server versions prior to 0.16.0 Vela Worker versions prior to 0.16.0 Vela UI versions prior to 0.17.0 Description: The issue concerns default configurations in Vela that allow exploitation and container breakouts. Specifically, running...