Custom workspace allow to overwrite plugin entrypoint executable

Impact

The server allow to create any user who can trigger a pipeline run malicious workflows:

Those workflows can either lead to a host takeover that runs the agent executing the workflow.
Or allow to extract the secrets who would be normally provided to the plugins who's entrypoint are overwritten.

Patches

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?
Enable the "gated" repo feature and review each change upfront

References

#3933
https://github.com/woodpecker-ci/woodpecker-security/pull/11
https://github.com/woodpecker-ci/woodpecker-security/issues/8 (info will be published later at #3924)
https://github.com/woodpecker-ci/woodpecker-security/issues/9 (info will be published later at #3924)
#3924 (info will be published later once we got adoption of the update)

Credits

Daniel Kilimnik @D_K_Dev (Neodyme AG)
Felipe Custodio Romero @localo (Neodyme AG)

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Custom workspace allow to overwrite plugin entrypoint executable

Package

Affected versions

Patched versions

Description

Impact

Patches

Workarounds

References

Credits

Severity

CVSS overall score

CVSS v3 base metrics

CVSS v3 base metrics

CVE ID

Weaknesses