Miggo Logo

CVE-2024-41122: Woodpecker's custom environment variables allow to alter execution flow of plugins

7.5

CVSS Score
3.1

Basic Information

EPSS Score
0.45937%
Published
7/19/2024
Updated
11/18/2024
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
go.woodpecker-ci.org/woodpecker/v2go< 2.7.02.7.0
go.woodpecker-ci.org/woodpeckergo< 2.7.02.7.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from two key flaws: 1) The IsPlugin check didn't consider environment variables, allowing plugins to be configured with dangerous env vars. 2) The linter allowed environment variables in plugin steps through insufficient validation. The patches added environment checks to IsPlugin and replaced lintCommands with lintSettings that enforces mutual exclusivity between settings and environment/commands/entrypoint.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t T** s*rv*r *llow to *r**t* *ny us*r w*o **n tri***r * pip*lin* run m*li*ious work*lows: - T*os* work*lows **n *it**r l*** to * *ost t*k*ov*r t**t runs t** ***nt *x**utin* t** work*low. - Or *llow to *xtr**t t** s**r*ts w*o woul* ** norm*ll

Reasoning

T** vuln*r**ility st*mm** *rom two k*y *l*ws: *) T** IsPlu*in ****k *i*n't *onsi**r *nvironm*nt v*ri**l*s, *llowin* plu*ins to ** *on*i*ur** wit* **n**rous *nv v*rs. *) T** lint*r *llow** *nvironm*nt v*ri**l*s in plu*in st*ps t*rou** insu**i*i*nt v*l