CVE-2024-28236

CVSS 3.1 Score 7.7 of 10 (high)

Details

Published Mar 12, 2024
Updated: Mar 13, 2024
CWE ID 200
CWE ID 532

Summary

Vulnerability CVE-2024-28236 affects the Vela Pipeline Automation framework, a CI/CD tool built on Linux container technology. It allows for secrets to be injected into plugins/images and exposes them in logs due to a combination of variable substitution and insensitive fields. This behavior particularly affects secrets restricted by the "no commands" option, leading to unintended use of secret values and an increased risk of exposure during image execution. Remediation involves treating parameters as insensitive and avoiding sensitive values in plugin parameters. The vulnerability has a base severity of HIGH, with a CVSS score of 7.7, indicating a potential threat to an organization's confidentiality.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.

Share

Prioritize, Pinpoint, and Act to Prevent Vulnerability Exploits with Recorded Future

Note: This is just a basic overview providing quick insights into CVE-2024-28236 information. Gain full access to comprehensive CVE data, third party vulnerabilities, compromised credentials and more with Recorded Future
  • Gain complete coverage of your cyber, third party, and physical attack surface
  • Proactively mitigate threats before they turn into costly attacks
  • Make fast, effective, data-driven decisions

Book your demo

Sign in

Back to Vulnerability Database