CVE-2022-39395 Overview
CVE-2022-39395 is an Insecure Default Configuration vulnerability affecting the Vela Pipeline Automation (CI/CD) framework built on Linux container technology. The vulnerability exists in Vela Server and Vela Worker prior to version 0.16.0, and Vela UI prior to version 0.17.0, where default configurations allow exploitation and container breakouts. This security flaw enables attackers with low-privilege access to potentially escape container isolation and compromise the underlying host system.
Critical Impact
Attackers can exploit insecure default configurations to achieve container breakouts, potentially gaining access to the host system and other containers, leading to complete compromise of the CI/CD infrastructure.
Affected Products
- go-vela server (versions prior to 0.16.0)
- go-vela worker (versions prior to 0.16.0)
- go-vela ui (versions prior to 0.17.0)
Discovery Timeline
- November 10, 2022 - CVE-2022-39395 published to NVD
- November 21, 2024 - Last updated in NVD database
Technical Details for CVE-2022-39395
Vulnerability Analysis
The vulnerability stems from insecure default configurations in the Vela CI/CD framework that expose the system to container breakout attacks. Vela, written in Golang and built on Linux container technology, allows users to define pipeline configurations that execute within containers. When default settings are not explicitly hardened, attackers can leverage privileged container capabilities to escape the container sandbox and gain access to the underlying host system.
The core issue relates to CWE-269 (Improper Privilege Management), where the default behavior of the Vela worker allows certain images to run with elevated privileges. This design flaw means that without explicit administrator intervention, the system operates in an insecure state. Additionally, the default event handling configuration in the server component automatically enables pull request events, which can be exploited by malicious actors to trigger pipeline executions with crafted payloads.
Root Cause
The root cause is improper privilege management in default configurations across multiple Vela components. Specifically, the VELA_RUNTIME_PRIVILEGED_IMAGES setting on the worker component is not empty by default, allowing privileged container execution. Furthermore, the server's default event configuration automatically enables pull_request events alongside push events, expanding the attack surface by allowing external contributors to trigger pipeline executions. The lack of a restrictive repository allowlist (VELA_REPO_ALLOWLIST) means any repository can be enabled by default, creating opportunities for unauthorized pipeline execution.
Attack Vector
The vulnerability is exploitable over the network by authenticated users with low privileges. An attacker could exploit this vulnerability through multiple vectors:
- Privileged Container Abuse: By crafting a pipeline configuration that specifies a privileged image, attackers can run containers with elevated host access, enabling container escape techniques
- Pull Request Exploitation: Malicious actors with access to enabled repositories can submit pull requests containing pipeline configurations designed to exploit the privileged execution context
- Unrestricted Repository Access: Without an allowlist, attackers can enable repositories under their control and configure them to execute malicious pipelines
The following patch from the GitHub Security Advisory shows the fix to the default event configuration in api/repo.go:
if !input.GetAllowPull() && !input.GetAllowPush() &&
!input.GetAllowDeploy() && !input.GetAllowTag() &&
!input.GetAllowComment() {
- // default events to push and pull_request
- r.SetAllowPull(true)
+ // default event to push
r.SetAllowPush(true)
} else {
r.SetAllowComment(input.GetAllowComment())
Source: GitHub Commit Update
This patch removes the automatic enabling of pull request events, reducing the attack surface by requiring explicit configuration to enable pull request-triggered pipelines.
Detection Methods for CVE-2022-39395
Indicators of Compromise
- Unexpected privileged container executions in Vela worker logs
- Pipeline executions triggered by pull requests from unknown or untrusted external contributors
- Unusual repository enablement activity in Vela server audit logs
- Container escape indicators such as access to host filesystem paths or Docker socket
Detection Strategies
- Monitor Vela worker logs for containers running with --privileged flag or elevated capabilities
- Audit enabled repositories and compare against authorized repository lists
- Review pipeline configurations for suspicious privileged image usage or host volume mounts
- Implement alerting on pull request-triggered pipeline executions from external contributors
Monitoring Recommendations
- Enable comprehensive logging for all Vela components (Server, Worker, UI)
- Configure alerts for any new repository enablement events
- Monitor for unusual patterns in pipeline execution frequency or timing
- Implement container runtime security monitoring to detect escape attempts
How to Mitigate CVE-2022-39395
Immediate Actions Required
- Upgrade Vela Server and Worker to version 0.16.0 or later immediately
- Upgrade Vela UI to version 0.17.0 or later
- Review and explicitly configure VELA_RUNTIME_PRIVILEGED_IMAGES to be empty unless privileged images are absolutely required
- Implement VELA_REPO_ALLOWLIST to restrict which repositories can be enabled
- Audit all currently enabled repositories and disable pull request triggers where not needed
Patch Information
Official patches are available in the following releases:
After upgrading, administrators must explicitly reconfigure default settings as the patch changes default behaviors. Review the GitHub Security Advisory GHSA-5m7g-pj8w-7593 for complete details on configuration changes required post-upgrade.
Workarounds
- Set VELA_RUNTIME_PRIVILEGED_IMAGES to an explicitly empty value on the worker component to prevent privileged container execution
- Configure VELA_REPO_ALLOWLIST on the server component to restrict repository enablement to a trusted list
- Manually audit all enabled repositories and disable pull_request event triggers where not required
- Implement network segmentation to limit potential blast radius of container breakouts
# Configuration example for Vela Worker
export VELA_RUNTIME_PRIVILEGED_IMAGES=""
# Configuration example for Vela Server
export VELA_REPO_ALLOWLIST="org/trusted-repo-1,org/trusted-repo-2"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
