{"id":"GHSA-4gcf-5m39-98mc","summary":"Woodpecker does not validate webhook before changing any data","details":"### Impact\nAn attacker can post malformed webhook data which leads to an update of the repository data that can e.g. allow the takeover of a repository.\nThis is only critical if the CI is configured for public usage and connected to a forge witch is also in public usage.\n\n### Patches\nPlease use either next or the latest v1.0 e.g. v1.0.2\n\n### Workarounds\nSecure the CI system by making it inaccessible to untrusted entities, for example, by placing it behind a firewall.\n\n### References\nFix: https://github.com/woodpecker-ci/woodpecker/pull/2221\nBackport: https://github.com/woodpecker-ci/woodpecker/pull/2222","aliases":["CVE-2023-40034","GO-2023-2014"],"modified":"2024-08-21T14:41:50.591468Z","published":"2023-08-16T21:02:29Z","related":["CVE-2023-40034"],"database_specific":{"nvd_published_at":"2023-08-16T21:15:10Z","severity":"HIGH","github_reviewed":true,"cwe_ids":["CWE-20"],"github_reviewed_at":"2023-08-16T21:02:29Z"},"references":[{"type":"WEB","url":"https://github.com/woodpecker-ci/woodpecker/security/advisories/GHSA-4gcf-5m39-98mc"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-40034"},{"type":"WEB","url":"https://github.com/woodpecker-ci/woodpecker/pull/2221"},{"type":"WEB","url":"https://github.com/woodpecker-ci/woodpecker/pull/2222"},{"type":"WEB","url":"https://github.com/woodpecker-ci/woodpecker/commit/6e4c2f84cc84661d58cf1c0e5c421a46070bb105"},{"type":"PACKAGE","url":"https://github.com/woodpecker-ci/woodpecker"},{"type":"WEB","url":"https://github.com/woodpecker-ci/woodpecker/releases/tag/v1.0.2"}],"affected":[{"package":{"name":"github.com/woodpecker-ci/woodpecker","ecosystem":"Go","purl":"pkg:golang/github.com/woodpecker-ci/woodpecker"},"ranges":[{"type":"SEMVER","events":[{"introduced":"1.0.0"},{"fixed":"1.0.2"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/08/GHSA-4gcf-5m39-98mc/GHSA-4gcf-5m39-98mc.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}