SCA: security update for github.com/go-vela/worker (GHSA-pwx5-6wxg-px5h)

medium Tenable Cloud Security Plugin ID 417757

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Vela is a Pipeline Automation (CI/CD) framework built on Linux container technology written in Golang.
Vela pipelines can use variable substitution combined with insensitive fields like `parameters`, `image`
and `entrypoint` to inject secrets into a plugin/image and — by using common substitution string
manipulation — can bypass log masking and expose secrets without the use of the commands block. This
unexpected behavior primarily impacts secrets restricted by the "no commands" option. This can lead to
unintended use of the secret value, and increased risk of exposing the secret during image execution
bypassing log masking. **To exploit this** the pipeline author must be supplying the secrets to a plugin
that is designed in such a way that will print those parameters in logs. Plugin parameters are not
designed for sensitive values and are often intentionally printed throughout execution for
informational/debugging purposes. Parameters should therefore be treated as insensitive. While Vela
provides secrets masking, secrets exposure is not entirely solved by the masking process. A docker image
(plugin) can easily expose secrets if they are not handled properly, or altered in some way. There is a
responsibility on the end-user to understand how values injected into a plugin are used. This is a risk
that exists for many CICD systems (like GitHub Actions) that handle sensitive runtime variables. Rather,
the greater risk is that users who restrict a secret to the "no commands" option and use image restriction
can still have their secret value exposed via substitution tinkering, which turns the image and command
restrictions into a false sense of security. This issue has been addressed in version 0.23.2. Users are
advised to upgrade. Users unable to upgrade should not provide sensitive values to plugins that can
potentially expose them, especially in `parameters` that are not intended to be used for sensitive values,
ensure plugins (especially those that utilize shared secrets) follow best practices to avoid logging
parameters that are expected to be sensitive, minimize secrets with `pull_request` events enabled, as this
allows users to change pipeline configurations and pull in secrets to steps not typically part of the CI
process, make use of the build approval setting, restricting builds from untrusted users, and limit use of
shared secrets, as they are less restrictive to access by nature. (CVE-2024-28236)

See Also

https://github.com/advisories/GHSA-pwx5-6wxg-px5h

Plugin Details

Severity: Medium

ID: 417757

Version: Revision 1.10

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3

Percentile: 23.51

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5

Vector: CVSS2#AV:N/AC:L/Au:S/C:C/I:N/A:N

CVSS Score Source: CVE-2024-28236

CVSS v3

Risk Factor: Medium

Base Score: 6.5

Temporal Score: 5.7

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 3/14/2024

Vulnerability Publication Date: 3/12/2024

Reference Information

CVE: CVE-2024-28236