CVE-2024-28236
CVSS 3.1 Score 7.7 of 10 (high)
Details
Summary
Vulnerability CVE-2024-28236 affects the Vela Pipeline Automation framework, a CI/CD tool built on Linux container technology. It allows for secrets to be injected into plugins/images and exposes them in logs due to a combination of variable substitution and insensitive fields. This behavior particularly affects secrets restricted by the "no commands" option, leading to unintended use of secret values and an increased risk of exposure during image execution. Remediation involves treating parameters as insensitive and avoiding sensitive values in plugin parameters. The vulnerability has a base severity of HIGH, with a CVSS score of 7.7, indicating a potential threat to an organization's confidentiality.
Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.
Advisories, Assessments, and Mitigations
Prioritize, Pinpoint, and Act to Prevent Vulnerability Exploits with Recorded Future
- Gain complete coverage of your cyber, third party, and physical attack surface
- Proactively mitigate threats before they turn into costly attacks
- Make fast, effective, data-driven decisions