Go Vela Webhook Spoofing Vulnerability Allows Repository Ownership Transfer and Secret Exfiltration

A vulnerability in Go Vela's webhook handling can lead to unauthorized transfer of repository ownership and exfiltration of repository-level CI secrets. This issue affects versions prior to 0.25.3 and 0.26.0 through 0.26.2. The vulnerability arises from insufficient verification of webhook payload data, allowing an attacker to spoof a webhook with specific headers and body content. This can result in the unauthorized transfer of a repository and its associated secrets to another repository, from which the secrets can be extracted during subsequent CI/CD builds.

Impact

Exploitation of this vulnerability allows for the unauthorized transfer of repository ownership and its associated secrets to another repository. The exfiltrated secrets can then be accessed through subsequent builds in the repository.

Reproduction

To reproduce this vulnerability, send a spoofed webhook payload to a Vela CI instance with an active repository that has access to repository-level CI secrets. The payload must include specific headers and body data to trigger the ownership transfer. Once the ownership is transferred, the repository-level secrets can be accessed through the CI/CD pipeline.

Remediation

Users can upgrade to Vela versions 0.25.3 or 0.26.3, both of which include patches for this vulnerability.