GMS-2022-6556: Duplicate of ./go/github.com/go-vela/server/CVE-2022-39395.yml
Some current default configurations for Vela allow exploitation and container breakouts. Running Vela plugins as privileged Docker containers allows a malicious user to easily break out of the container and gain access to the worker host operating system. On a fresh install of Vela without any additional configuration, the target/vela-docker plugin will run as a privileged container, even if the Vela administrators did not intend to allow for any privileged plugins, and even if the vela.yml configuration file does not use the privileged = True flag. Privileged containers permit trivial breakouts, which can pose significant risk to the environment in which Vela is running.
References
- advisory-inbox.githubapp.com/advisory_reviews/GHSA-xf39-98m2-889v
- docs.docker.com/engine/security/
- github.com/advisories/GHSA-5m7g-pj8w-7593
- github.com/go-vela/server/commit/05558ee99d70f7d6f83bed7c8f78ac0b35fa26f4
- github.com/go-vela/server/releases/tag/v0.16.0
- github.com/go-vela/server/security/advisories/GHSA-5m7g-pj8w-7593
Detect and mitigate GMS-2022-6556 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →