CVE-2024-41121

Description

Woodpecker's custom workspace allow to overwrite plugin entrypoint executable in go.woodpecker-ci.org/woodpecker

How to fix CVE-2024-41121

To remediate CVE-2024-41121, upgrade the affected package to a fixed version below.

• Go/go.woodpecker-ci.org/woodpecker—upgrade to 2.7.0 or later
• —no fix listed
• —upgrade to 2.7.0 or later
• —upgrade to 2.7.0 or later

Is CVE-2024-41121 being exploited?

Low — EPSS is 0.5%, meaning exploitation activity has not been observed at scale.

Affected packages (4)

• from 0, < 2.7.0
• from 0
• from 0, < 2.7.0
• from 0, < 2.7.0

CVSS scores

References (10)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2024-41121
• PATCHgithub.com/woodpecker-ci/woodpecker
• WEBgithub.com/woodpecker-ci/woodpecker/commit/764329ed1dbc47c4a517ccc749e3feb34059fac8
• WEBgithub.com/woodpecker-ci/woodpecker/issues/3924