Impact

The server allow to create any user who can trigger a pipeline run malicious workflows:

• Those workflows can either lead to a host takeover that runs the agent executing the workflow.
• Or allow to extract the secrets who would be normally provided to the plugins who's entrypoint are overwritten.

Patches

woodpecker-ci/woodpecker#3909
woodpecker-ci/woodpecker#3934

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?
Enable the "gated" repo feature and review each change upfront of running

References

• woodpecker-ci/woodpecker#3909
• woodpecker-ci/woodpecker#3934
• https://github.com/woodpecker-ci/woodpecker-security/issues/10 (info will be published later at woodpecker-ci/woodpecker#3929)
• woodpecker-ci/woodpecker#3929 (info will be published later once we got adoption of the update)

Credits

• Daniel Kilimnik @D_K_Dev (Neodyme AG)
• Felipe Custodio Romero @localo (Neodyme AG)

References

• GHSA-3wf2-2pq4-4rvc
• woodpecker-ci/woodpecker#3929
• woodpecker-ci/woodpecker#3909
• woodpecker-ci/woodpecker#3934
• woodpecker-ci/woodpecker@8aa3e5e
• https://nvd.nist.gov/vuln/detail/CVE-2024-41122
• https://github.com/woodpecker-ci/woodpecker-security/issues/10
• https://pkg.go.dev/vuln/GO-2024-2998