CVE-2023-40034

EPSS 0.3%
Published 16.08.2023 21:15:10
Last modified 21.11.2024 08:18:33
Source security-advisories@github.com
Teams watchlist Login
Open Login

Woodpecker is a community fork of the Drone CI system. In affected versions an attacker can post malformed webhook data witch lead to an update of the repository data that can e.g. allow the takeover of an repo. This is only critical if the CI is configured for public usage and connected to a forge witch is also in public usage. This issue has been addressed in version 1.0.2. Users are advised to upgrade. Users unable to upgrade should secure the CI system by making it inaccessible to untrusted entities, for example, by placing it behind a firewall.

Affected products Warnungen 0 Metrics 3 CWE 1 References 7

Data is provided by the National Vulnerability Database (NVD)

Woodpecker-ci ≫ Woodpecker Version >= 1.0.0 < 1.0.2

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.3%	0.526

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	8.1	2.2	5.9	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
security-advisories@github.com	8.1	2.2	5.9	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

https://github.com/woodpecker-ci/woodpecker/commit/6e4c2f84cc84661d58cf1c0e5c421a46070bb105

Patch

https://github.com/woodpecker-ci/woodpecker/pull/2221

Issue Tracking

https://github.com/woodpecker-ci/woodpecker/pull/2222

Issue Tracking

https://github.com/woodpecker-ci/woodpecker/security/advisories/GHSA-4gcf-5m39-98mc

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2023-40034

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-40034

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-40034

EUVD