{"id":"GHSA-3wf2-2pq4-4rvc","summary":"Woodpecker's custom environment variables allow to alter execution flow of plugins","details":"### Impact\nThe server allow to create any user who can trigger a pipeline run malicious workflows:\n- Those workflows can either lead to a host takeover that runs the agent executing the workflow.\n- Or allow to extract the secrets who would be normally provided to the plugins who's entrypoint are overwritten.\n\n### Patches\nhttps://github.com/woodpecker-ci/woodpecker/pull/3909\nhttps://github.com/woodpecker-ci/woodpecker/pull/3934\n\n### Workarounds\n_Is there a way for users to fix or remediate the vulnerability without upgrading?_\n**Enable the \"gated\" repo feature and review each change upfront of running**\n\n### References\n- https://github.com/woodpecker-ci/woodpecker/pull/3909\n- https://github.com/woodpecker-ci/woodpecker/pull/3934\n- https://github.com/woodpecker-ci/woodpecker-security/issues/10 (info will be published later at https://github.com/woodpecker-ci/woodpecker/issues/3929)\n- https://github.com/woodpecker-ci/woodpecker/issues/3929 (info will be published later once we got adoption of the update)\n\n### Credits\n\n- Daniel Kilimnik [@D_K_Dev](https://x.com/D_K_Dev) (Neodyme AG)\n- Felipe Custodio Romero [@_localo_](https://x.com/_localo_) (Neodyme AG)","aliases":["CVE-2024-41122","GO-2024-2998"],"modified":"2024-11-18T16:26:54Z","published":"2024-07-19T19:59:06Z","related":["CVE-2024-41122"],"database_specific":{"github_reviewed_at":"2024-07-19T19:59:06Z","nvd_published_at":"2024-07-19T20:15:08Z","cwe_ids":["CWE-74"],"github_reviewed":true,"severity":"MODERATE"},"references":[{"type":"WEB","url":"https://github.com/woodpecker-ci/woodpecker/security/advisories/GHSA-3wf2-2pq4-4rvc"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-41122"},{"type":"WEB","url":"https://github.com/woodpecker-ci/woodpecker-security/issues/10"},{"type":"WEB","url":"https://github.com/woodpecker-ci/woodpecker/issues/3929"},{"type":"WEB","url":"https://github.com/woodpecker-ci/woodpecker/pull/3909"},{"type":"WEB","url":"https://github.com/woodpecker-ci/woodpecker/pull/3934"},{"type":"WEB","url":"https://github.com/woodpecker-ci/woodpecker/commit/8aa3e5ec82c92eca3279e4be68625111eeedf1c4"},{"type":"PACKAGE","url":"https://github.com/woodpecker-ci/woodpecker"},{"type":"WEB","url":"https://pkg.go.dev/vuln/GO-2024-2998"}],"affected":[{"package":{"name":"go.woodpecker-ci.org/woodpecker/v2","ecosystem":"Go","purl":"pkg:golang/go.woodpecker-ci.org/woodpecker/v2"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"2.7.0"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/07/GHSA-3wf2-2pq4-4rvc/GHSA-3wf2-2pq4-4rvc.json"}},{"package":{"name":"go.woodpecker-ci.org/woodpecker","ecosystem":"Go","purl":"pkg:golang/go.woodpecker-ci.org/woodpecker"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"2.7.0"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/07/GHSA-3wf2-2pq4-4rvc/GHSA-3wf2-2pq4-4rvc.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"}]}