CVE-2024-41122 – This vulnerability in Woodpecker CI/CD allows a... (How to Fix)

Q: What is the severity of CVE-2024-41122?

CVE-2024-41122 has a CVSS score of 7.5 (HIGH). This vulnerability in Woodpecker CI/CD allows any user to create malicious workflows that can lead to host takeover of the agent executing the workflow or extraction of secrets from plugins. It affects all Woodpecker installations with user registration enabled. The issue has been fixed in version 2.7.0.

📋 TL;DR

This vulnerability in Woodpecker CI/CD allows any user to create malicious workflows that can lead to host takeover of the agent executing the workflow or extraction of secrets from plugins. It affects all Woodpecker installations with user registration enabled. The issue has been fixed in version 2.7.0.

💻 Affected Systems

Products:

Woodpecker CI/CD

Versions: All versions before 2.7.0

Operating Systems: All platforms running Woodpecker

Default Config Vulnerable: ⚠️ Yes

Notes: Requires user registration functionality to be enabled, which is common in multi-user CI/CD environments.

📦 What is this software?

Woodpecker by Woodpecker Ci

View all CVEs affecting Woodpecker →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the host running the Woodpecker agent, allowing attacker persistence, lateral movement, and data exfiltration.

🟠

Likely Case

Unauthorized pipeline execution leading to resource abuse, secret leakage, and potential privilege escalation within the CI/CD environment.

🟢

If Mitigated

Limited impact with proper network segmentation and minimal secrets exposure, but still allowing unauthorized workflow execution.

🌐 Internet-Facing: HIGH - If user registration is exposed to the internet, attackers can create accounts and exploit the vulnerability remotely.

🏢 Internal Only: MEDIUM - Internal attackers or compromised accounts can exploit this, but requires some level of initial access.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires user account creation capability but is straightforward once an account exists. No authentication bypass needed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.7.0

Vendor Advisory: https://github.com/woodpecker-ci/woodpecker/security/advisories/GHSA-3wf2-2pq4-4rvc

Restart Required: Yes

Instructions:

1. Backup your Woodpecker configuration and data. 2. Stop the Woodpecker service. 3. Update to version 2.7.0 using your package manager or by downloading from GitHub releases. 4. Restart the Woodpecker service. 5. Verify the update was successful.

🔧 Temporary Workarounds

Disable user registration

all

Temporarily disable new user registration to prevent account creation by attackers

Set WOODPECKER_REGISTRATION_CLOSED=true in environment variables or configuration

Restrict pipeline permissions

all

Implement strict pipeline approval workflows and limit who can trigger pipelines

Configure Woodpecker pipeline approval settings in your configuration

🧯 If You Can't Patch

Disable user registration completely and audit all existing user accounts
Implement network segmentation to isolate Woodpecker agents from sensitive systems

🔍 How to Verify

Check if Vulnerable:

Check if Woodpecker version is below 2.7.0 and user registration is enabled

Check Version:

woodpecker-server --version or check container image tag

Verify Fix Applied:

Verify Woodpecker version is 2.7.0 or higher and test that malicious workflow creation is prevented

📡 Detection & Monitoring

Log Indicators:

Unauthorized user creation events
Unusual pipeline execution patterns
Workflow steps attempting to access host resources

Network Indicators:

Unexpected outbound connections from Woodpecker agents
Traffic to unusual destinations from CI/CD environment

SIEM Query:

source="woodpecker" AND (event="user_created" OR event="pipeline_started") | stats count by user, pipeline

📊 Metadata

CVE ID: CVE-2024-41122

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-74

Published: July 19, 2024

Last Updated: November 21, 2024

🔗 References

https://github.com/woodpecker-ci/woodpecker-security/issues/10 Broken Link
https://github.com/woodpecker-ci/woodpecker/issues/3929 Patch
https://github.com/woodpecker-ci/woodpecker/pull/3909 Patch
https://github.com/woodpecker-ci/woodpecker/pull/3934 Patch
https://github.com/woodpecker-ci/woodpecker/security/advisories/GHSA-3wf2-2pq4-4rvc Third Party Advisory
https://github.com/woodpecker-ci/woodpecker-security/issues/10 Broken Link
https://github.com/woodpecker-ci/woodpecker/issues/3929 Patch
https://github.com/woodpecker-ci/woodpecker/pull/3909 Patch
https://github.com/woodpecker-ci/woodpecker/pull/3934 Patch
https://github.com/woodpecker-ci/woodpecker/security/advisories/GHSA-3wf2-2pq4-4rvc Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-41122, you might also want to check these: