CVE-2024-41122: Woodpecker's custom environment variables allow to alter execution flow of plugins
(updated )
The server allow to create any user who can trigger a pipeline run malicious workflows:
- Those workflows can either lead to a host takeover that runs the agent executing the workflow.
- Or allow to extract the secrets who would be normally provided to the plugins who’s entrypoint are overwritten.
References
- github.com/advisories/GHSA-3wf2-2pq4-4rvc
- github.com/woodpecker-ci/woodpecker
- github.com/woodpecker-ci/woodpecker-security/issues/10
- github.com/woodpecker-ci/woodpecker/commit/8aa3e5ec82c92eca3279e4be68625111eeedf1c4
- github.com/woodpecker-ci/woodpecker/issues/3929
- github.com/woodpecker-ci/woodpecker/pull/3909
- github.com/woodpecker-ci/woodpecker/pull/3934
- github.com/woodpecker-ci/woodpecker/security/advisories/GHSA-3wf2-2pq4-4rvc
- nvd.nist.gov/vuln/detail/CVE-2024-41122
- pkg.go.dev/vuln/GO-2024-2998
Detect and mitigate CVE-2024-41122 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →