CVE-2020-26294

medium

Description

Vela is a Pipeline Automation (CI/CD) framework built on Linux container technology written in Golang. In Vela compiler before version 0.6.1 there is a vulnerability which allows exposure of server configuration. It impacts all users of Vela. An attacker can use Sprig's `env` function to retrieve configuration information, see referenced GHSA for an example. This has been fixed in version 0.6.1. In addition to upgrading, it is recommended to rotate all secrets.

References

Advisories
More

https://pkg.go.dev/github.com/go-vela/compiler/compiler

https://github.com/go-vela/compiler/commit/f1ace5f8a05c95c4d02264556e38a959ee2d9bda

https://github.com/go-vela/compiler/security/advisories/GHSA-gv2h-gf8m-r68j

Details

Source: Mitre, NVD

Published: 2021-01-04

Updated: 2026-06-17

Risk Information

CVSS v2

Base Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

Severity: Medium

CVSS v3

Base Score: 5.3

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Severity: Medium

EPSS

EPSS: 0.0035