Miggo Logo

CVE-2024-41121: Woodpecker's custom workspace allow to overwrite plugin entrypoint executable

8.8

CVSS Score
3.1

Basic Information

EPSS Score
0.55492%
Published
7/19/2024
Updated
8/7/2024
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
go.woodpecker-ci.org/woodpecker/v2go< 2.7.02.7.0
go.woodpecker-ci.org/woodpeckergo< 2.7.02.7.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from improper workspace path handling. Key functions identified: 1) createProcess in convert.go - originally used user-defined workspace base for plugins, allowing overwriting of entrypoint executables via path traversal. 2) stepWorkingDir - combined user-controlled paths without plugin-specific sanitization. 3) WithWorkspace in option.go - set vulnerable path values. The patch introduced path.Clean, enforced fixed pluginWorkspaceBase, and separated plugin/non-plugin path handling, confirming these were the vulnerable points.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t T** s*rv*r *llow to *r**t* *ny us*r w*o **n tri***r * pip*lin* run m*li*ious work*lows: - T*os* work*lows **n *it**r l*** to * *ost t*k*ov*r t**t runs t** ***nt *x**utin* t** work*low. - Or *llow to *xtr**t t** s**r*ts w*o woul* ** norm*ll

Reasoning

T** vuln*r**ility st*mm** *rom improp*r worksp*** p*t* **n*lin*. K*y *un*tions i**nti*i**: *) *r**t*Pro**ss in *onv*rt.*o - ori*in*lly us** us*r-***in** worksp*** **s* *or plu*ins, *llowin* ov*rwritin* o* *ntrypoint *x**ut**l*s vi* p*t* tr*v*rs*l. *)