CVE-2020-26294
HIGHVela compiler < 0.6.1 - Server Configuration Exposure via Sprig env Function
Title source: llmDescription
Vela is a Pipeline Automation (CI/CD) framework built on Linux container technology written in Golang. In Vela compiler before version 0.6.1 there is a vulnerability which allows exposure of server configuration. It impacts all users of Vela. An attacker can use Sprig's `env` function to retrieve configuration information, see referenced GHSA for an example. This has been fixed in version 0.6.1. In addition to upgrading, it is recommended to rotate all secrets.
References (3)
Core 3
Core References
Exploit, Third Party Advisory x_refsource_confirm
https://github.com/go-vela/compiler/security/advisories/GHSA-gv2h-gf8m-r68j
Patch, Third Party Advisory x_refsource_misc
https://github.com/go-vela/compiler/commit/f1ace5f8a05c95c4d02264556e38a959ee2d9bda
Product, Third Party Advisory x_refsource_misc
https://pkg.go.dev/github.com/go-vela/compiler/compiler
Scores
CVSS v3
7.4
EPSS
0.0178
EPSS Percentile
75.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N
Details
CWE
CWE-78
Status
published
Products (2)
go-vela/compiler
0 - 0.6.1Go
target/compiler
< 0.6.1
Published
Jan 04, 2021
Tracked Since
Feb 18, 2026