CVE-2024-28236
📋 TL;DR
This vulnerability in Vela CI/CD framework allows pipeline authors to bypass secret masking by injecting secrets into plugin parameters, which can then be exposed in logs. It primarily affects users who restrict secrets with 'no commands' option, creating a false sense of security. The risk is that sensitive values can be unintentionally exposed during pipeline execution.
💻 Affected Systems
- Vela CI/CD Framework
📦 What is this software?
Worker by Go Vela
⚠️ Risk & Real-World Impact
Worst Case
Sensitive secrets (API keys, credentials, tokens) are exposed in pipeline logs, potentially leading to unauthorized access to production systems, data breaches, or supply chain attacks.
Likely Case
Accidental exposure of secrets in build logs that could be accessed by unauthorized users or developers, potentially compromising associated services.
If Mitigated
With proper controls, secrets remain protected through masking, but there's still risk if plugins mishandle parameter values.
🎯 Exploit Status
Exploitation requires pipeline author access and specific plugin configurations that log parameters. Similar patterns are known in other CI/CD systems.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.23.2
Vendor Advisory: https://github.com/go-vela/worker/security/advisories/GHSA-pwx5-6wxg-px5h
Restart Required: Yes
Instructions:
1. Backup current Vela configuration. 2. Update Vela to version 0.23.2 or later using your package manager or deployment method. 3. Restart Vela services. 4. Verify the update was successful.
🔧 Temporary Workarounds
Avoid sensitive parameters in plugins
allDo not pass sensitive values to plugin parameters that are not designed for secrets. Use secrets only in designated secret fields.
Review and restrict plugin logging
allAudit plugins for parameter logging and modify or replace plugins that log sensitive parameter values.
🧯 If You Can't Patch
- Do not provide sensitive values to plugins that can potentially expose them, especially in parameters fields
- Minimize secrets with pull_request events enabled and use build approval settings to restrict untrusted users
🔍 How to Verify
Check if Vulnerable:
Check if Vela version is below 0.23.2 and review pipeline configurations for secrets passed to plugin parameters.Check Version:
vela versionVerify Fix Applied:
Verify Vela version is 0.23.2 or later and test that secret masking works properly with parameter substitution.📡 Detection & Monitoring
Log Indicators:
- Unmasked secret values appearing in pipeline execution logs
- Sensitive strings in parameter fields within build logs
Network Indicators:
- Unusual external connections from CI/CD system following secret exposure
SIEM Query:
Search for patterns of sensitive strings (API keys, tokens) in CI/CD log files that should be masked.🔗 References
- https://github.com/go-vela/worker/commit/e1572743b008e4fbce31ebb1dcd23bf6a1a30297
- https://github.com/go-vela/worker/security/advisories/GHSA-pwx5-6wxg-px5h
- https://github.com/go-vela/worker/commit/e1572743b008e4fbce31ebb1dcd23bf6a1a30297
- https://github.com/go-vela/worker/security/advisories/GHSA-pwx5-6wxg-px5h
