Information Exposure Affecting github.com/go-vela/types/database package, versions <0.23.2
Snyk CVSS
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-GOLANG-GITHUBCOMGOVELATYPESDATABASE-6455614
- published 17 Mar 2024
- disclosed 15 Mar 2024
- credit gdiepen
How to fix?
Upgrade github.com/go-vela/types/database to version 0.23.2 or higher.
Overview
Affected versions of this package are vulnerable to Information Exposure due to the improper handling of sensitive fields like parameters, image, and entrypoint for variable substitution. An attacker can expose secrets without the use of the commands block by manipulating substitution strings to bypass log masking. This risk is heightened for secrets restricted by the "no commands" option, leading to unintended use of the secret value and increased risk of exposing the secret during image execution.
Workaround
-Do not provide sensitive values to plugins that can potentially expose them, especially in parameters that are not intended to be used for sensitive values.
-Ensure plugins (especially those that utilize shared secrets) follow best practices to avoid logging parameters that are expected to be sensitive.
-Minimize secrets with pull_request events enabled, as this allows users to change pipeline configurations and pull in secrets to steps not typically part of the CI process.
-Make use of the build approval setting, restricting builds from untrusted users
-Limit the use of shared secrets, as they are less restrictive to access by nature.