Woodpecker CI/CD Engine Vulnerability: Upgrade Now to Avoid Malicious Workflows
CVE-2024-41122

8.8HIGH

Key Information:

Vendor
Woodpecker-ci
Status
Woodpecker
Vendor
CVE Published:
19 July 2024

Summary

The Woodpecker CI/CD engine has a significant security vulnerability that allows unauthorized users to create malicious workflows capable of executing harmful actions on host systems. Specifically, these workflows can lead to a complete host takeover by executing arbitrary code with elevated privileges or facilitate the unauthorized extraction of sensitive secrets stored within the application. To mitigate this risk, affected users should promptly upgrade to the fixed version, 2.7.0, as there are currently no known workarounds available.

Affected Version(s)

woodpecker < 2.7.0

References

https://github.com/woodpecker-ci/woodpecker/security/advi...
x_refsource_CONFIRM
https://github.com/woodpecker-ci/woodpecker-security/issu...
x_refsource_MISC
https://github.com/woodpecker-ci/woodpecker/issues/3929
x_refsource_MISC

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Collectors

NVD DatabaseMitre Database
.