CVE-2022-39395

CVSS V2 None CVSS V3 Critical 9.9
Description
Vela is a Pipeline Automation (CI/CD) framework built on Linux container technology written in Golang. In Vela Server and Vela Worker prior to version 0.16.0 and Vela UI prior to version 0.17.0, some default configurations for Vela allow exploitation and container breakouts. Users should upgrade to Server 0.16.0, Worker 0.16.0, and UI 0.17.0 to fix the issue. After upgrading, Vela administrators will need to explicitly change the default settings to configure Vela as desired. Some of the fixes will interrupt existing workflows and will require Vela administrators to modify default settings. However, not applying the patch (or workarounds) will continue existing risk exposure. Some workarounds are available. Vela administrators can adjust the worker's `VELA_RUNTIME_PRIVILEGED_IMAGES` setting to be explicitly empty, leverage the `VELA_REPO_ALLOWLIST` setting on the server component to restrict access to a list of repositories that are allowed to be enabled, and/or audit enabled repositories and disable pull_requests if they are not needed.
Overview
  • CVE ID
  • CVE-2022-39395
  • Assigner
  • security-advisories@github.com
  • Vulnerability Status
  • Analyzed
  • Published Version
  • 2022-11-10T18:15:10
  • Last Modified Date
  • 2022-11-17T16:45:25
Weakness Enumerations
CWE URL
CWE-269 http://cwe.mitre.org/data/definitions/269.html
CPE Configuration (Product)
CPE Vulnerable Operator Version Start Version End
cpe:2.3:a:go-vela:server:*:*:*:*:*:*:*:* 1 OR 0.16.0
cpe:2.3:a:go-vela:ui:*:*:*:*:*:*:*:* 1 OR 0.17.0
cpe:2.3:a:go-vela:worker:*:*:*:*:*:*:*:* 1 OR 0.16.0
CVSS Version 3
  • Version
  • 3.1
  • Vector String
  • CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
  • Attack Vector
  • NETWORK
  • Attack Compatibility
  • LOW
  • Privileges Required
  • LOW
  • User Interaction
  • NONE
  • Scope
  • CHANGED
  • Confidentiality Impact
  • HIGH
  • Availability Impact
  • HIGH
  • Base Score
  • 9.9
  • Base Severity
  • CRITICAL
  • Exploitability Score
  • 3.1
  • Impact Score
  • 6
References
Reference URL Reference Tags
https://go-vela.github.io/docs/installation/server/reference/#vela_repo_allowlist
https://github.com/go-vela/worker/releases/tag/v0.16.0
https://github.com/go-vela/server/commit/05558ee99d70f7d6f83bed7c8f78ac0b35fa26f4
https://docs.docker.com/engine/security/#docker-daemon-attack-surface
https://github.com/go-vela/ui/releases/tag/v0.17.0
https://github.com/go-vela/server/security/advisories/GHSA-5m7g-pj8w-7593
https://go-vela.github.io/docs/installation/worker/reference/#vela_runtime_privileged_images
https://github.com/go-vela/ui/security/advisories/GHSA-xf39-98m2-889v
https://github.com/go-vela/worker/security/advisories/GHSA-2w78-ffv6-p46w
https://github.com/go-vela/server/releases/tag/v0.16.0
Sources
Source Name Source URL
NIST https://nvd.nist.gov/vuln/detail/CVE-2022-39395
MITRE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-39395
History
Created Old Value New Value Data Type Notes
2022-11-10 19:00:10 Added to TrackCVE
2022-12-07 17:36:55 2022-11-10T18:15Z 2022-11-10T18:15:10 CVE Published Date updated
2022-12-07 17:36:55 2022-11-17T16:45:25 CVE Modified Date updated
2022-12-07 17:36:55 Analyzed Vulnerability Status updated
2022-12-07 17:36:57 CPE Information updated