CVE-2021-21432 – CVE-2021-21432 is an authentication bypass vuln... (How to Fix)

Q: What is the severity of CVE-2021-21432?

CVE-2021-21432 has a CVSS score of 7.5 (HIGH). CVE-2021-21432 is an authentication bypass vulnerability in Vela CI/CD framework that allows malicious users to access secrets stored in the ~/.netrc file. This affects Vela server versions 0.7.0 through 0.7.4. Organizations using vulnerable Vela deployments for pipeline automation are at risk of credential theft.

📋 TL;DR

CVE-2021-21432 is an authentication bypass vulnerability in Vela CI/CD framework that allows malicious users to access secrets stored in the ~/.netrc file. This affects Vela server versions 0.7.0 through 0.7.4. Organizations using vulnerable Vela deployments for pipeline automation are at risk of credential theft.

💻 Affected Systems

Products:

Vela CI/CD Server

Versions: 0.7.0 through 0.7.4

Operating Systems: Linux

Default Config Vulnerable: ⚠️ Yes

Notes: Requires authentication mechanism enabled (added in 0.7.0) and ~/.netrc file containing credentials.

📦 What is this software?

Vela by Go Vela

View all CVEs affecting Vela →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of CI/CD pipeline secrets including source code credentials, deployment keys, and sensitive environment variables leading to supply chain attacks.

🟠

Likely Case

Unauthorized access to repository credentials and deployment secrets enabling code exfiltration or unauthorized deployments.

🟢

If Mitigated

Limited impact with proper network segmentation and minimal secrets stored in vulnerable configurations.

🌐 Internet-Facing: HIGH - CI/CD systems often expose APIs and web interfaces that could be targeted remotely.

🏢 Internal Only: MEDIUM - Internal attackers or compromised internal systems could exploit this vulnerability.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires some level of access to the system but authentication bypass enables credential extraction.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.7.5

Vendor Advisory: https://github.com/go-vela/server/security/advisories/GHSA-8j3f-mhq8-gmh4

Restart Required: Yes

Instructions:

1. Backup current configuration and data. 2. Stop Vela server. 3. Update to version 0.7.5 using package manager or manual installation. 4. Restart Vela server. 5. Verify functionality.

🔧 Temporary Workarounds

Remove ~/.netrc credentials

linux

Delete or secure credentials stored in the ~/.netrc file used by Vela

rm ~/.netrc
chmod 600 ~/.netrc if credentials must remain

Network isolation

linux

Restrict network access to Vela server to trusted sources only

iptables -A INPUT -p tcp --dport [VELA_PORT] -s [TRUSTED_IP] -j ACCEPT
iptables -A INPUT -p tcp --dport [VELA_PORT] -j DROP

🧯 If You Can't Patch

Implement strict network access controls to limit who can reach the Vela server
Rotate all credentials that might be stored in ~/.netrc files and monitor for unauthorized access

🔍 How to Verify

Check if Vulnerable:

Check Vela server version: vela version. If version is between 0.7.0 and 0.7.4 inclusive, system is vulnerable.

Check Version:

vela version

Verify Fix Applied:

After patching, verify version is 0.7.5 or higher: vela version. Test authentication mechanisms work properly.

📡 Detection & Monitoring

Log Indicators:

Unusual authentication patterns
Multiple failed authentication attempts followed by successful access
Access to ~/.netrc file by Vela processes

Network Indicators:

Unusual API calls to secrets endpoints
Traffic from unexpected sources to Vela server

SIEM Query:

source="vela" AND (event="authentication_failure" OR event="secret_access") | stats count by src_ip

📊 Metadata

CVE ID: CVE-2021-21432

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:A/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:L

CWE: CWE-285

Published: April 9, 2021

Last Updated: November 21, 2024

🔗 References

https://github.com/go-vela/server/commit/cb4352918b8ecace9fe969b90404d337b0744d46 Patch,Third Party Advisory
https://github.com/go-vela/server/pull/337 Patch,Third Party Advisory
https://github.com/go-vela/server/releases/tag/v0.7.5 Release Notes,Third Party Advisory
https://github.com/go-vela/server/security/advisories/GHSA-8j3f-mhq8-gmh4 Third Party Advisory
https://pkg.go.dev/github.com/go-vela/server Release Notes,Third Party Advisory
https://github.com/go-vela/server/commit/cb4352918b8ecace9fe969b90404d337b0744d46 Patch,Third Party Advisory
https://github.com/go-vela/server/pull/337 Patch,Third Party Advisory
https://github.com/go-vela/server/releases/tag/v0.7.5 Release Notes,Third Party Advisory
https://github.com/go-vela/server/security/advisories/GHSA-8j3f-mhq8-gmh4 Third Party Advisory
https://pkg.go.dev/github.com/go-vela/server Release Notes,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-21432, you might also want to check these: