Cyber Resilience

CVE-2024-28236

High

Published: 12 March 2024

Published
12 March 2024
Modified
22 January 2025
KEV Added
Patch
CVSS Score v3.1 7.7 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
EPSS Score 0.0024 46.7th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-28236 is a high-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Go-Vela Worker. Its CVSS base score is 7.7 (High).

Operationally, ranked at the 46.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

Vela is a Pipeline Automation (CI/CD) framework built on Linux container technology written in Golang. Vela pipelines can use variable substitution combined with insensitive fields like `parameters`, `image` and `entrypoint` to inject secrets into a plugin/image and — by using…

more

common substitution string manipulation — can bypass log masking and expose secrets without the use of the commands block. This unexpected behavior primarily impacts secrets restricted by the "no commands" option. This can lead to unintended use of the secret value, and increased risk of exposing the secret during image execution bypassing log masking. **To exploit this** the pipeline author must be supplying the secrets to a plugin that is designed in such a way that will print those parameters in logs. Plugin parameters are not designed for sensitive values and are often intentionally printed throughout execution for informational/debugging purposes. Parameters should therefore be treated as insensitive. While Vela provides secrets masking, secrets exposure is not entirely solved by the masking process. A docker image (plugin) can easily expose secrets if they are not handled properly, or altered in some way. There is a responsibility on the end-user to understand how values injected into a plugin are used. This is a risk that exists for many CICD systems (like GitHub Actions) that handle sensitive runtime variables. Rather, the greater risk is that users who restrict a secret to the "no commands" option and use image restriction can still have their secret value exposed via substitution tinkering, which turns the image and command restrictions into a false sense of security. This issue has been addressed in version 0.23.2. Users are advised to upgrade. Users unable to upgrade should not provide sensitive values to plugins that can potentially expose them, especially in `parameters` that are not intended to be used for sensitive values, ensure plugins (especially those that utilize shared secrets) follow best practices to avoid logging parameters that are expected to be sensitive, minimize secrets with `pull_request` events enabled, as this allows users to change pipeline configurations and pull in secrets to steps not typically part of the CI process, make use of the build approval setting, restricting builds from untrusted users, and limit use of shared secrets, as they are less restrictive to access by nature.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

go-vela
worker
≤ 0.23.2

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-200 CWE-532

Monitoring directly detects unauthorized disclosure of sensitive information, enabling response to exposures.

addresses: CWE-200 CWE-532

Coordinating audit logging across organizational boundaries reduces the risk of sensitive audit data being exposed to unauthorized actors during transmission.

addresses: CWE-200 CWE-532

A data action map identifies locations where sensitive information may be exposed to unauthorized actors during processing or transfer.

addresses: CWE-200 CWE-532

The control's identification, isolation, alerting, and eradication steps directly limit the impact and exploitation window of unauthorized sensitive information exposure.

addresses: CWE-200 CWE-532

Requiring organization-defined processing conditions on specific PII categories directly reduces the chance that personal data will be exposed to unauthorized actors.

addresses: CWE-200 CWE-532

The assessment process surfaces design decisions that could expose sensitive (including PII) data to unauthorized actors, prompting controls that reduce such exposure.

addresses: CWE-200 CWE-532

Directly prevents exposure of critical organizational information by applying OPSEC processes across the SDLC.

addresses: CWE-200 CWE-532

Filtering output to only permitted content stops unintended disclosure of sensitive information to unauthorized actors.

References