Homepage
About Snyk

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') Affecting go.woodpecker-ci.org/woodpecker/v2/pipeline/frontend package, versions >=2.0.0 <2.7.0

Severity

 Recommended
0.0
high
0
10

CVSS assessment made by Snyk's Security Team

    Threat Intelligence

    EPSS
    0.08% (37th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-GOLANG-GOWOODPECKERCIORGWOODPECKERV2PIPELINEFRONTEND-7547133
  • published 21 Jul 2024
  • disclosed 19 Jul 2024
  • credit Unknown
Report a new vulnerability Found a mistake?

Introduced: 19 Jul 2024

CVE-2024-41122 Open this link in a new tab
CWE-74 Open this link in a new tab

How to fix?

Upgrade go.woodpecker-ci.org/woodpecker/v2/pipeline/frontend to version 2.7.0 or higher.

Overview

Affected versions of this package are vulnerable to Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') via the custom environment variables. An attacker can alter the execution flow of plugins and potentially take over the host or extract sensitive information by creating malicious workflows. This is exploitable if the "gated" repo feature is not enabled.

Workaround

This vulnerability can be mitigated by enabling the "gated" repo feature and reviewing each change before running it.

CVSS Scores

version 4.0
version 3.1
Expand this section

Snyk

Recommended
7.7 high
  • Attack Vector (AV)
    Network
  • Attack Complexity (AC)
    High
  • Attack Requirements (AT)
    None
  • Privileges Required (PR)
    Low
  • User Interaction (UI)
    None
  • Confidentiality (VC)
    High
  • Integrity (VI)
    High
  • Availability (VA)
    High
  • Confidentiality (SC)
    None
  • Integrity (SI)
    None
  • Availability (SA)
    None