Information Exposure Affecting github.com/go-vela/server/api/secret package, versions <0.23.2
Snyk CVSS
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-GOLANG-GITHUBCOMGOVELASERVERAPISECRET-6455613
- published 17 Mar 2024
- disclosed 15 Mar 2024
- credit gdiepen
How to fix?
Upgrade github.com/go-vela/server/api/secret to version 0.23.2 or higher.
Overview
Affected versions of this package are vulnerable to Information Exposure due to improper handling of sensitive fields like parameters, image, and entrypoint in combination with variable substitution. An attacker can expose secrets without the use of the commands block by manipulating substitution strings to bypass log masking. This primarily affects secrets restricted by the "no commands" option, leading to unintended use of the secret value and increased risk of exposing the secret during image execution.
Workaround
Do not provide sensitive values to plugins that can potentially expose them, especially in parameters that are not intended to be used for sensitive values. Ensure plugins follow best practices to avoid logging parameters that are expected to be sensitive. Minimize secrets with pull_request events enabled, use the build approval setting to restrict builds from untrusted users, and limit use of shared secrets.