github.com/go-vela/[server, ui, worker] is vulnerable to privilege escalation. The vulnerability exists when the vera.yml
configuration file is not using the privileged = True
flag, allowing an attacker to easily break out of the container and gain access to the host worker operating system.
docs.docker.com/engine/security/#docker-daemon-attack-surface
github.com/go-vela/server/commit/05558ee99d70f7d6f83bed7c8f78ac0b35fa26f4
github.com/go-vela/server/releases/tag/v0.16.0
github.com/go-vela/server/security/advisories/GHSA-5m7g-pj8w-7593
github.com/go-vela/ui/commit/885efce30b84486357554eadef9c5fec84011c6c
github.com/go-vela/ui/releases/tag/v0.17.0
github.com/go-vela/ui/security/advisories/GHSA-xf39-98m2-889v
github.com/go-vela/worker/commit/a40039059d713c96275c0427a695a09f79195f29
github.com/go-vela/worker/releases/tag/v0.16.0
github.com/go-vela/worker/security/advisories/GHSA-2w78-ffv6-p46w
go-vela.github.io/docs/installation/server/reference/#vela_repo_allowlist
go-vela.github.io/docs/installation/worker/reference/#vela_runtime_privileged_images