CVE-2025-27616

EPSS 0.09%
Veröffentlicht 10.03.2025 18:56:14
Zuletzt bearbeitet 10.03.2025 19:15:41
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Vela is a Pipeline Automation (CI/CD) framework built on Linux container technology written in Golang. Prior to versions 0.25.3 and 0.26.3, by spoofing a webhook payload with a specific set of headers and body data, an attacker could transfer ownership of a repository and its repo level secrets to a separate repository. These secrets could be exfiltrated by follow up builds to the repository. Users with an enabled repository with access to repo level CI secrets in Vela are vulnerable to the exploit, and any user with access to the CI instance and the linked source control manager can perform the exploit. Versions 0.25.3 and 0.26.3 fix the issue. No known workarounds are available.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 2 Referenzen 8

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

Herstellergo-vela

≫

Produkt server

Version < 0.25.3

Status affected

Version >= 0.26.0, < 0.26.3

Status affected

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.09%	0.26

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	8.5	1.8	6	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

CWE-290 Authentication Bypass by Spoofing

This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks.

CWE-345 Insufficient Verification of Data Authenticity

The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.

https://github.com/go-vela/server/security/advisories/GHSA-9m63-33q3-xq5x

https://github.com/go-vela/server/commit/257886e5a3eea518548387885894e239668584f5

https://github.com/go-vela/server/commit/67c1892e2464dc54b8d2588815dfb7819222500b

https://github.com/go-vela/server/releases/tag/v0.25.3

https://github.com/go-vela/server/releases/tag/v0.26.3

https://nvd.nist.gov/vuln/detail/CVE-2025-27616

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-27616

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-27616

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2025-27616