Repositoty takeover in woodpecker-ci
CVE-2023-40034

8.1HIGH

Key Information:

Vendor

Woodpecker-ci

Status
Woodpecker
Vendor
CVE Published:
16 August 2023

What is CVE-2023-40034?

The vulnerability allows attackers to exploit malformed webhook data in Woodpecker CI, leading to unauthorized updates to repository data. This could result in the takeover of repositories, particularly if the continuous integration system is configured for public access and linked to publicly accessible code repositories. A patch was released in version 1.0.2. Users who cannot upgrade are strongly advised to enhance security by restricting access through firewalls or similar protective measures.

Affected Version(s)

woodpecker >= 1.0.0, < 1.0.2

References

https://github.com/woodpecker-ci/woodpecker/security/advi...
x_refsource_CONFIRM
https://github.com/woodpecker-ci/woodpecker/pull/2221
x_refsource_MISC
https://github.com/woodpecker-ci/woodpecker/pull/2222
x_refsource_MISC

CVSS V3.1

Score:
8.1
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.