CVE-2024-28236

CVSS 3.1 Score 7.7 of 10 (high)

Details

Published Mar 12, 2024
Updated: Mar 13, 2024
CWE ID 200
CWE ID 532

Summary

CVE-2024-28236 is a vulnerability affecting Vela, a CI/CD framework built on Linux container technology. The issue lies in the use of variable substitution with insensitive fields, such as `parameters`, `image`, and `entrypoint`, allowing secrets to be injected into plugins and potentially exposed without the use of commands. This unexpected behavior is primarily a concern for secrets restricted by the "no commands" option. Exploitation requires a pipeline author to supply secrets to a plugin that logs parameter values. While Vela offers secrets masking, the masking process does not entirely prevent secrets exposure. The responsibility to handle secrets properly lies with the end-user. This vulnerability has been addressed in version 0.23.2, and users are advised to upgrade. For those unable to do so, best practices include not providing sensitive values to plugins, ensuring plugins follow logging practices, minimizing secrets usage with `pull_request` events enabled, using build approvals, and limiting shared secret access.

Ligh bulbPrevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.

Share