CVE-2020-26294

Description

Vela is a Pipeline Automation (CI/CD) framework built on Linux container technology written in Golang. In Vela compiler before version 0.6.1 there is a vulnerability which allows exposure of server configuration. It impacts all users of Vela. An attacker can use Sprig's env function to retrieve configuration information, see referenced GHSA for an example. This has been fixed in version 0.6.1. In addition to upgrading, it is recommended to rotate all secrets.

CVSS Version 3.1
CVSS Version 2.0

nvd
CVE ID: CVE-2020-26294
Base Score: 5.3
Base Severity: MEDIUM
Vector String:CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Impact Score: 1.4
Exploitability Score: 3.9

github
CVE ID: CVE-2020-26294
Base Score: 7.4
Base Severity: HIGH
Vector String:CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N
Impact Score: 4.0
Exploitability Score: 2.8

nvd
CVE ID: CVE-2020-26294
Base Score: 5.0
Base Severity: MEDIUM
Vector String:AV:N/AC:L/Au:N/C:P/I:N/A:N

Refrence: NVD MITRE

Description​

Description