Woodpecker is a simple yet powerful CI/CD engine with great extensibility. However, a vulnerability was identified that allows any user with permission to create workflows and trigger pipeline runs to takeover the host. This vulnerability poses two potential risks: 1. Malicious workflows could lead to a host takeover of the agent executing the workflow. 2. Attackers could extract sensitive secrets that are typically to the plugins, by overwriting their entry points. These issues have been addressed in release version 2.7.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Advisories
-
Woodpecker
-
CVE-2024-41121 ‒ Privilege escalation via custom workspace
-
-
Trend Micro Apex One
-
Check Point Harmony
-
Webroot Endpoint Protection
-
Wazuh
-
CVE-2023-50260 ‒ Command Injection via Active Responses Wazuh is an "Open Source Security Platform" that provides agent-based security monitoring for Unix and Windows clients. This vulnerability affects the Active Response feature that can automatically trigger actions in response to alerts. The specific vulnerability is in the handling of IP address arguments. The problem results from the lack of proper validation of JSON messages. An attacker could exploit this vulnerability to run code in the context of root to escalate privileges or to pivot from the management server to client systems. -
CVE-2024-32038 ‒ Heap-based Buffer Overflow in Event Decoder Wazuh is a "Open Source Security Platform" that provides agent based security monitoring for Unix and Windows clients. This vulnerability is a heap-based buffer overflow in the event decoder of the "Analysis Engine", a component of the management server. It could allow unauthenticated attackers to execute arbitrary commands on the Wazuh management server.
-
-
Bitdefender Total Security
-
AVG Internet Security
Disclosure Policy
We take responsible disclosure seriously.
We adhere to an industry-standard 90+30 disclosure policy. This means once we notify the vendor about a security vulnerability, they have 90 days to create a patch and make it available for users. Neodyme will publicly disclose vulnerability details 30 days after the patch has been made available to users. If the vendor does not patch an issue within the initial 90 days, Neodyme reserves the right to publicize details of the vulnerability at the end of the 90-day period. However, the vendor has the option to receive an additional 14 day grace period to release a patch upon request. In such a case, Neodyme will publicize vulnerability details 120 days after the initial disclosure. This policy is inspired by the Google Project Zero disclosure policy.