CVSS 3.1 Score 7.7 of 10 (high)


Published Mar 12, 2024
Updated: Mar 13, 2024
CWE ID 200
CWE ID 532


Vulnerability CVE-2024-28236 affects the Vela Pipeline Automation framework, a CI/CD tool built on Linux container technology. It allows for secrets to be injected into plugins/images and exposes them in logs due to a combination of variable substitution and insensitive fields. This behavior particularly affects secrets restricted by the "no commands" option, leading to unintended use of secret values and an increased risk of exposure during image execution. Remediation involves treating parameters as insensitive and avoiding sensitive values in plugin parameters. The vulnerability has a base severity of HIGH, with a CVSS score of 7.7, indicating a potential threat to an organization's confidentiality.

Explore Beyond the CVE Basics with Recorded Future's Vulnerability Intelligence

Note: This is just a basic overview providing quick insights into CVE-2024-28236 information. Gain full access to comprehensive CVE data, risk scores, prioritization, and mitigation data through Recorded Future's Vulnerability Intelligence:
  • Prioritize with Risk-Based Scoring
  • Explore the Extensive Vulnerability Database
  • Receive Early Alerts on Emerging CVEs
  • Focus on Critical Exploitable Vulnerabilities
  • Streamline Remediation with Integration Options