Woodpecker
Monthly
Approval-gate bypass in Woodpecker CI before 3.15.0 lets an attacker who can open a merge request from a fork against a GitLab-backed repository run unapproved, attacker-controlled pipelines. Because the GitLab forge driver populates pipeline.Author from the spoofable git commit author name (commit.author.name) rather than the GitLab-validated user identity, an attacker simply sets the commit author to a name listed in ApprovalAllowedUsers, making needsApproval return false. This grants arbitrary CI step execution on a Woodpecker agent and exposure of CI secrets; there is no public exploit identified at time of analysis, but the issue was reported by VulnCheck and is trivially reproducible.
Unauthenticated NULL pointer dereference in Woodpecker CI before 3.15.0 allows any network attacker to flood server logs by repeatedly probing the unprotected /api/orgs/lookup/ endpoint. The LookupOrg handler unconditionally dereferences the session user object, which is nil for unauthenticated callers, triggering a Go panic on every such request; gin's recovery middleware catches each panic and returns HTTP 500, keeping the server alive but writing approximately 37 lines of stack trace per request to the error log. No active exploitation is confirmed in CISA KEV, but the zero-prerequisite attack surface - no credentials, no special configuration, no user interaction - makes low-bandwidth log-flooding trivially achievable by any unauthenticated network attacker.
Approval-gate bypass in Woodpecker CI before 3.15.0 lets an attacker who can open a merge request from a fork against a GitLab-backed repository run unapproved, attacker-controlled pipelines. Because the GitLab forge driver populates pipeline.Author from the spoofable git commit author name (commit.author.name) rather than the GitLab-validated user identity, an attacker simply sets the commit author to a name listed in ApprovalAllowedUsers, making needsApproval return false. This grants arbitrary CI step execution on a Woodpecker agent and exposure of CI secrets; there is no public exploit identified at time of analysis, but the issue was reported by VulnCheck and is trivially reproducible.
Unauthenticated NULL pointer dereference in Woodpecker CI before 3.15.0 allows any network attacker to flood server logs by repeatedly probing the unprotected /api/orgs/lookup/ endpoint. The LookupOrg handler unconditionally dereferences the session user object, which is nil for unauthenticated callers, triggering a Go panic on every such request; gin's recovery middleware catches each panic and returns HTTP 500, keeping the server alive but writing approximately 37 lines of stack trace per request to the error log. No active exploitation is confirmed in CISA KEV, but the zero-prerequisite attack surface - no credentials, no special configuration, no user interaction - makes low-bandwidth log-flooding trivially achievable by any unauthenticated network attacker.