Skip to content

x/vulndb: potential Go vuln in github.com/go-vela/server: CVE-2022-39395 #1102

New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom
Closed
GoVulnBot opened this issue Nov 10, 2022 · 3 comments
Closed

x/vulndb: potential Go vuln in github.com/go-vela/server: CVE-2022-39395 #1102

GoVulnBot opened this issue Nov 10, 2022 · 3 comments
Assignees
@zpavlinovic
Labels
duplicate excluded: EFFECTIVELY_PRIVATE This vulnerability exists in a package can be imported, but isn't meant to be outside that module.

Comments

@GoVulnBot
Copy link

CVE-2022-39395 references github.com/go-vela/server, which may be a Go module.

Description:
Vela is a Pipeline Automation (CI/CD) framework built on Linux container technology written in Golang. In Vela Server and Vela Worker prior to version 0.16.0 and Vela UI prior to version 0.17.0, some default configurations for Vela allow exploitation and container breakouts. Users should upgrade to Server 0.16.0, Worker 0.16.0, and UI 0.17.0 to fix the issue. After upgrading, Vela administrators will need to explicitly change the default settings to configure Vela as desired. Some of the fixes will interrupt existing workflows and will require Vela administrators to modify default settings. However, not applying the patch (or workarounds) will continue existing risk exposure. Some workarounds are available. Vela administrators can adjust the worker's VELA_RUNTIME_PRIVILEGED_IMAGES setting to be explicitly empty, leverage the VELA_REPO_ALLOWLIST setting on the server component to restrict access to a list of repositories that are allowed to be enabled, and/or audit enabled repositories and disable pull_requests if they are not needed.

References:

See doc/triage.md for instructions on how to triage this report.

modules:
  - module: github.com/go-vela/server
    packages:
      - package: server
description: |
    Vela is a Pipeline Automation (CI/CD) framework built on Linux container technology written in Golang. In Vela Server and Vela Worker prior to version 0.16.0 and Vela UI prior to version 0.17.0, some default configurations for Vela allow exploitation and container breakouts. Users should upgrade to Server 0.16.0, Worker 0.16.0, and UI 0.17.0 to fix the issue. After upgrading, Vela administrators will need to explicitly change the default settings to configure Vela as desired. Some of the fixes will interrupt existing workflows and will require Vela administrators to modify default settings. However, not applying the patch (or workarounds) will continue existing risk exposure. Some workarounds are available. Vela administrators can adjust the worker's `VELA_RUNTIME_PRIVILEGED_IMAGES` setting to be explicitly empty, leverage the `VELA_REPO_ALLOWLIST` setting on the server component to restrict access to a list of repositories that are allowed to be enabled, and/or audit enabled repositories and disable pull_requests if they are not needed.
cves:
  - CVE-2022-39395
references:
  - web: https://github.com/go-vela/server/security/advisories/GHSA-5m7g-pj8w-7593
  - web: https://github.com/go-vela/ui/security/advisories/GHSA-xf39-98m2-889v
  - web: https://github.com/go-vela/worker/security/advisories/GHSA-2w78-ffv6-p46w
  - fix: https://github.com/go-vela/server/commit/05558ee99d70f7d6f83bed7c8f78ac0b35fa26f4
  - web: https://docs.docker.com/engine/security/#docker-daemon-attack-surface
  - web: https://github.com/go-vela/server/releases/tag/v0.16.0
  - web: https://github.com/go-vela/ui/releases/tag/v0.17.0
  - web: https://github.com/go-vela/worker/releases/tag/v0.16.0
  - web: https://go-vela.github.io/docs/installation/server/reference/#vela_repo_allowlist
  - fix: https://go-vela.github.io/docs/installation/worker/reference/#vela_runtime_privileged_images
@zpavlinovic zpavlinovic self-assigned this Nov 10, 2022
@zpavlinovic zpavlinovic added the excluded: EFFECTIVELY_PRIVATE This vulnerability exists in a package can be imported, but isn't meant to be outside that module. label Nov 10, 2022
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/449516 mentions this issue: data/excluded: add GO-2022-1102.yaml

@tatianab
Copy link
Contributor

Duplicate of #1100

@tatianab tatianab marked this as a duplicate of #1100 Nov 18, 2022
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/451278 mentions this issue: data/excluded: merge GO-2022-1100.yaml and GO-2022-1102

gopherbot pushed a commit that referenced this issue Nov 18, 2022
@tatianab
data/excluded: merge GO-2022-1100.yaml and GO-2022-1102
a70a618 
Merge duplicate reports.

Aliases: CVE-2022-39395, GHSA-5m7g-pj8w-7593

Updates #1100, #1102

Change-Id: I6351bfe10fe7ca7ad2323c937248ff36db1e4f6e
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/451278
Reviewed-by: Damien Neil <dneil@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Tatiana Bradley <tatiana@golang.org>
Run-TryBot: Tatiana Bradley <tatiana@golang.org>
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees

@zpavlinovic zpavlinovic

Labels
duplicate excluded: EFFECTIVELY_PRIVATE This vulnerability exists in a package can be imported, but isn't meant to be outside that module.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@zpavlinovic @tatianab @gopherbot @GoVulnBot