Information Exposure Affecting github.com/go-vela/cli/action/secret package, versions <0.23.2
Snyk CVSS
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-GOLANG-GITHUBCOMGOVELACLIACTIONSECRET-6455611
- published 17 Mar 2024
- disclosed 15 Mar 2024
- credit gdiepen
How to fix?
Upgrade github.com/go-vela/cli/action/secret to version 0.23.2 or higher.
Overview
Affected versions of this package are vulnerable to Information Exposure due to the handling of sensitive fields like parameters, image, and entrypoint for variable substitution. An attacker can expose secrets without the use of the commands block by manipulating common substitution strings to bypass log masking. This primarily impacts secrets restricted by the "no commands" option, leading to unintended use of the secret value and increased risk of exposing the secret during image execution.
Workaround
This vulnerability can be mitigated by not providing sensitive values to plugins that can potentially expose them, ensuring plugins follow best practices to avoid logging parameters expected to be sensitive, minimizing secrets with pull_request events enabled, making use of the build approval setting, and limiting use of shared secrets.