Repositoty takeover in woodpecker-ci
CVE-2023-40034

8.1HIGH

Key Information:

Vendor: Woodpecker-ci
Status: Woodpecker
Vendor: CVE Published:; 16 August 2023

What is CVE-2023-40034?

The vulnerability allows attackers to exploit malformed webhook data in Woodpecker CI, leading to unauthorized updates to repository data. This could result in the takeover of repositories, particularly if the continuous integration system is configured for public access and linked to publicly accessible code repositories. A patch was released in version 1.0.2. Users who cannot upgrade are strongly advised to enhance security by restricting access through firewalls or similar protective measures.

Affected Version(s)

woodpecker >= 1.0.0, < 1.0.2

References

https://github.com/woodpecker-ci/woodpecker/security/advi...

x_refsource_CONFIRM

https://github.com/woodpecker-ci/woodpecker/pull/2221

x_refsource_MISC

https://github.com/woodpecker-ci/woodpecker/pull/2222

x_refsource_MISC

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Aug 16, 2023
Vulnerability Reserved
Aug 8, 2023

Woodpecker-ci

What is CVE-2023-40034?

Affected Version(s)

References

CVSS V3.1

Timeline