Horizon Alert
Summary of the vulnerability and why it matters
This vulnerability affects Woodpecker CI systems, specifically when using the GitLab forge driver. It allows an attacker to bypass required pipeline approvals by manipulating commit author information, potentially leading to the execution of unauthorized code and exfiltration of sensitive data. The primary concern is to confirm if your environment utilizes the GitLab forge driver within Woodpecker.
- Unapproved pipelines can run via spoofed commit authors.
- Bypasses security checks for code execution and data access.
- Confirm GitLab forge driver usage in Woodpecker.
Attack Path
How an attacker could exploit the issue
An attacker could exploit this vulnerability by forking a repository and controlling the commit author name within the webhook payload. This allows them to bypass security checks designed to prevent unapproved pipelines from running, potentially leading to the execution of malicious code on a Woodpecker agent and the exposure of sensitive information.
- Attacker forks repository to control payload.
- Submits merge request with crafted commit author.
- Leads to unauthorized pipeline execution and secret exfiltration.
Live Threat
Current exploitation, exposure, and threat context
This vulnerability could allow an attacker to bypass required approvals for pipelines running on Woodpecker agents. When a merge request originates from a fork in GitLab, an attacker can control the commit author name in the webhook payload. If this forged name matches an entry in Woodpecker's `ApprovalAllowedUsers` list, the pipeline will run without the necessary approval, potentially executing attacker-controlled steps and exfiltrating CI secrets. This bypass specifically affects the GitLab forge driver; other drivers are not impacted because they derive the author identity from forge-validated sources.
- Compromise of CI/CD pipelines and secrets.
- Attacker forges commit author name in webhook.
- Unauthorized pipeline execution and secret exfiltration.
Operational Fix
Recommended remediation, mitigation, and detection steps
The Woodpecker CI/CD system's GitLab integration is susceptible to a bypass of approval checks due to a spoofable commit author name in webhook payloads. Teams responsible for CI/CD infrastructure, application security, and potentially platform engineering should lead the remediation efforts. The initial step involves identifying all instances of Woodpecker using the GitLab forge driver, assessing their exposure, and confirming the business criticality of affected pipelines before planning remediation.
- Own the issue: CI/CD and Platform teams.
- Verify first: Woodpecker GitLab integration exposure.
- Action: Plan risk-based remediation.