Privilege escalation in Go-vela Server
CVE-2022-39395
Vela is a Pipeline Automation (CI/CD) framework built on Linux container technology written in Golang. In Vela Server and Vela Worker prior to version 0.16.0 and Vela UI prior to version 0.17.0, some default configurations for Vela allow e…
Vulnerability class: Privilege Escalation
EPSS: 0.011 (60.6th percentile) — read the EPSS interpretation.
CVSS v3 metric
CVSS v3 base score 9.6 (Critical). Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H.
Affected products
- Go-vela Server — versions < 0.16.0, < 0.17.0
- Go-vela Ui
- Go-vela Worker
Weakness classification (CWE)
Public proof-of-concept exploits
References
- security-advisories@github.com (Third Party Advisory)
- security-advisories@github.com (Third Party Advisory)
- security-advisories@github.com (Third Party Advisory)
- security-advisories@github.com (Patch, Third Party Advisory)
- security-advisories@github.com (Technical Description, Third Party Advisory)
- security-advisories@github.com (Third Party Advisory, Release Notes)
- security-advisories@github.com (Third Party Advisory, Release Notes)
- security-advisories@github.com (Third Party Advisory, Release Notes)
- security-advisories@github.com (Vendor Advisory)
- security-advisories@github.com (Vendor Advisory)
Frequently asked questions
- What is CVE-2022-39395?
- CVE-2022-39395 is a critical-severity vulnerability in Go-vela Server, classified under Improper Privilege Management. CVSS score: 9.6/10. Published 2022-11-10.
- How severe is CVE-2022-39395?
- Critical severity. CVSS v3 base score is 9.6 out of 10.
- Is CVE-2022-39395 known to be exploited?
- 3 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.