Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') The advisory has been revoked - it doesn't affect any version of package github.com/woodpecker-ci/woodpecker/pipeline/frontend  (opens in a new tab)


Threat Intelligence

EPSS
0.08% (38th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-GOLANG-GITHUBCOMWOODPECKERCIWOODPECKERPIPELINEFRONTEND-7547132
  • published21 Jul 2024
  • disclosed19 Jul 2024
  • creditUnknown

Introduced: 19 Jul 2024

CVE-2024-41122  (opens in a new tab)
CWE-74  (opens in a new tab)

How to fix?

There is no fixed version for github.com/woodpecker-ci/woodpecker/pipeline/frontend.

Amendment

This was deemed not a vulnerability.

Overview

Affected versions of this package are vulnerable to Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') via the custom environment variables. An attacker can alter the execution flow of plugins and potentially take over the host or extract sensitive information by creating malicious workflows. This is exploitable if the "gated" repo feature is not enabled.

Workaround

This vulnerability can be mitigated by enabling the "gated" repo feature and reviewing each change before running it.