Posts by author 'Daniel'

CVE-2024-41121 ‒ Privilege escalation via custom workspace

Woodpecker is a simple yet powerful CI/CD engine with great extensibility. However, a vulnerability was identified that allows any user with permission to create workflows and trigger pipeline runs to takeover the host. This vulnerability poses two potential risks: 1. Malicious workflows could lead to a host takeover of the agent executing the workflow. 2. Attackers could extract sensitive secrets that are typically to the plugins, by overwriting their entry points. These issues have been addressed in release version 2.7.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.