Stefreak

**Name of the Vulnerable Software and Affected Versions** Garden versions prior to 0.13.17 Garden versions prior to 0.12.65 **Description** Garden has a dependency on the cryo library, which is vulnerable to code injection due to an insecure implementation of deserialization. Garden stores serialized objects using cryo in the Kubernetes `ConfigMap` resources prefixed with `test-result` and `run-result` to cache Garden test and run results. These `ConfigMaps` are stored either in the `garden-system` namespace or the configured user namespace. When a user invokes the command `garden test` or `garden run`, objects stored in the `ConfigMap` are retrieved and deserialized. This can be used by an attacker with access to the Kubernetes cluster to store malicious objects in the `ConfigMap`, which can trigger a remote code execution on the user's machine when cryo deserializes the object. In order to exploit this issue, an attacker must have access to the Kubernetes cluster used to deploy garden remote environments. Further, a user must actively invoke either a `garden test` or `garden run` which has previously cached results. **Recommendations** To resolve the issue, update to Garden version 0.13.17 or later. To resolve the issue, update to Garden version 0.12.65 or later. As a temporary workaround, consider restricting access to the `garden-system` namespace and the configured user namespace to minimize the risk of exploitation. Avoid using the `garden test` and `garden run` commands with previously cached results until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** aws-cdk-lib versions 2.0.0 through 2.80.0 @aws-cdk/aws-eks versions 1.57.0 through 1.202.0 **Description** The issue concerns the AWS Cloud Development Kit (AWS CDK), an open-source software development framework. In the affected packages, `eks.Cluster` and `eks.FargateCluster` constructs create two roles, `CreationRole` and `default MastersRole`, with overly permissive trust policies. The `CreationRole` is used by lambda handlers to create the cluster and deploy Kubernetes resources, while the `default MastersRole` has permissions to execute `kubectl` commands on the cluster. Users with CDK version higher or equal to 1.62.0 (including v2 users) may be affected by the `CreationRole`, and users with CDK version higher or equal to 1.57.0 (including v2 users) may be affected by the `default MastersRole`. The issue has been fixed in `@aws-cdk/aws-eks` v1.202.0 and `aws-cdk-lib` v2.80.0, which restrict the trust policy to specific roles of lambda handlers. **Recommendations** To resolve the issue for aws-cdk-lib versions 2.0.0 through 2.80.0, upgrade to version 2.80.0 or later. To resolve the issue for @aws-cdk/aws-eks versions 1.57.0 through 1.202.0, upgrade to version 1.202.0 or later. As a temporary workaround for the `default MastersRole`, use the `mastersRole` property to explicitly provide a role. For example: `new eks.Cluster(this, 'Cluster', { ... mastersRole: iam.Role.fromRoleArn(this, 'Admin', 'arn:aws:iam::xxx:role/Admin') });`