B0B0Haha

Incorrect Authorization vulnerability of `/v2` experimental interface in Apache DolphinScheduler. This issue affects Apache DolphinScheduler: before 3.4.2. Users are recommended to upgrade to version 3.4.2, which fixes the issue.

DataSource API Missing Authorization Check Leads to Arbitrary Data Source Metadata Disclosure in Apache DolphinScheduler. This issue affects Apache DolphinScheduler: before 3.4.2. Users are recommended to upgrade to version 3.4.2, which fixes the issue.

**Name of the Vulnerable Software and Affected Versions** Capsule versions prior to 0.13.0 **Description** The Capsule Controller runs with cluster-admin privileges. A flaw exists in the `HandleSection()` function within the `internal/controllers/resources/processor.go` file, where the processing logic for `TenantResource` `RawItems` fails to properly validate resource scopes. While the controller attempts to set a namespace using `obj.SetNamespace()`, this action is ignored by the Kubernetes API for cluster-scoped resources. Consequently, users with Tenant Owner privileges can leverage the controller's elevated permissions to create cluster-scoped resources, such as `ClusterRole` and `ValidatingWebhookConfiguration`, which they are not authorized to create directly. This can lead to cross-tenant privilege escalation, cluster-level attacks, theft of sensitive data from all tenants via malicious webhooks, or cluster-wide denial of service. **Recommendations** Update to version 0.13.0. As a temporary workaround, restrict the permissions of the Capsule Controller's ServiceAccount to remove `cluster-admin` privileges if not strictly required.

**Name of the Vulnerable Software and Affected Versions** Apache Camel K versions 2.0.0 through 2.8.0 Apache Camel K versions 2.9.0 through 2.9.1 Apache Camel K versions 2.10.0 **Description** Authorized users in a Kubernetes namespace can create a Build resource to control Pod generation in a namespace of their choice, including the operator namespace. This cross-namespace flaw allows users to hijack pods in secure namespaces through an externally controlled reference to a resource in another sphere and authorization bypass via a user-controlled key. **Recommendations** Update versions 2.0.0 through 2.8.0 to 2.8.1. Update versions 2.9.0 through 2.9.1 to 2.9.2. Update version 2.10.0 to 2.10.1.

**Name of the Vulnerable Software and Affected Versions** local-path-provisioner versions prior to 0.0.36 **Description** A malicious user with permissions to edit the `local-path-config` ConfigMap in the `local-path-storage` namespace can manipulate the `helperPod.yaml` template. This template is used to create HelperPods during PVC provisioning and cleanup operations but is not sufficiently validated before use. An attacker can inject security-sensitive fields such as `securityContext.privileged`, `hostPath` volumes, and Linux capabilities into the template. When a PVC operation triggers the creation of a HelperPod, the provisioner uses the attacker-controlled template, potentially resulting in a privileged pod running on the target node with the host root filesystem mounted. This allows the attacker to access sensitive host files, read ServiceAccount tokens from other pods on the same node, access other tenants' local-path volume data, or modify files on the host node. **Recommendations** Update to version 0.0.36 or later. Restrict write access to the `local-path-config` ConfigMap in the `local-path-storage` namespace to trusted administrators only. Mark the `local-path-config` ConfigMap as immutable. Enable Kubernetes Pod Security Admission for the `local-path-storage` namespace by enforcing the `baseline` policy to prevent the creation of privileged HelperPods.

**Name of the Vulnerable Software and Affected Versions** DevSpace versions prior to 6.3.21 **Description** The UI server WebSocket accepts connections from all origins by default, exposing several endpoints. A malicious website visited by a developer using a browser can establish a cross-origin WebSocket connection to 'ws://127.0.0.1:8090'. This allows unauthorized access to the following endpoints: - '/api/logs' to stream real-time pod logs - '/api/enter' to open an interactive shell inside the running pod - '/api/command' to execute pre-defined pipeline commands **Recommendations** Update to version 6.3.21 or later.

**Name of the Vulnerable Software and Affected Versions** Contour versions 1.19.0 through 1.31.5 Contour versions 1.32.0 through 1.32.4 Contour versions 1.33.0 through 1.33.3 **Description** The Cookie Rewriting feature is susceptible to Lua code injection. An attacker with RBAC permissions to create or modify HTTPProxy resources can provide malicious values in the `spec.routes[].cookieRewritePolicies[].pathRewrite.value` or `spec.routes[].services[].cookieRewritePolicies[].pathRewrite.value` variables, leading to arbitrary code execution in the Envoy proxy. This occurs because user-controlled values are interpolated into Lua source code using Go text/template without sufficient sanitization. While the injected code executes only on the attacker's own route, it can be used to read Envoy xDS client credentials from the filesystem—potentially exposing TLS certificates and private keys of other tenants—or cause a denial of service for other tenants sharing the Envoy instance. **Recommendations** Update to version 1.31.6. Update to version 1.32.5. Update to version 1.33.4.

**Name of the Vulnerable Software and Affected Versions** KubePlus version 4.14 **Description** The '/registercrd' endpoint in the kubeconfiggenerator component is susceptible to command injection. The issue occurs because the component utilizes the `subprocess.Popen()` function with the `shell=True` parameter to execute shell commands, directly concatenating the user-supplied `chartName` parameter into the command string without proper sanitization or validation. This allows an attacker to execute arbitrary shell commands by providing a malicious value for the `chartName` variable. **Recommendations** As a temporary workaround, avoid using the `chartName` parameter in the '/registercrd' endpoint until a fix is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** KubePlus version 4.1.4 **Description** KubePlus versions 4.1.4 contain a Server-Side Request Forgery (SSRF) issue within the mutating webhook and kubeconfiggenerator components when handling the `chartURL` field of ResourceComposition resources. The `chartURL` field is URL-encoded without proper validation of the target address. Specifically, when the kubeconfiggenerator component uses `wget` to download charts, the `chartURL` is directly incorporated into the command, enabling attackers to inject `wget`'s `--header` option and achieve arbitrary HTTP header injection. The API endpoint used for chart downloads is not specified. The vulnerable parameter is `chartURL`. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** SchemaHero version 0.23.0 **Description** A SQL Injection issue exists in SchemaHero version 0.23.0. The issue is located in the `columnAsInsert` function within the `plugins/postgres/lib/column.go` file, specifically through the `column` parameter. The vulnerability allows for potential manipulation of SQL queries through the `column` parameter. **Recommendations** Update to a newer version of SchemaHero that addresses this issue. As a temporary workaround, consider restricting access to the `columnAsInsert` function or carefully validating the `column` parameter before use.

**Name of the Vulnerable Software and Affected Versions** SchemaHero version 0.23.0 **Description** A SQL Injection issue exists in SchemaHero version 0.23.0. The issue is due to a flaw in the `mysqlColumnAsInsert` function within the `plugins/mysql/lib/column.go` file, specifically related to the `column` parameter. This allows for potential manipulation of SQL queries. The `column` parameter is vulnerable. **Recommendations** Update to a newer version that contains a fix for this vulnerability. As a temporary workaround, consider restricting access to the `mysqlColumnAsInsert` function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Kube-router versions prior to 2.8.0 **Description** Kube-router's proxy module does not validate externalIPs or loadBalancer IPs before programming them into the node's network configuration. This impacts multi-tenant clusters where untrusted users have namespace-scoped permissions to create or modify Services. The `buildServicesInfo()` function copies IPs from `Service.spec.externalIPs` and `status.loadBalancer.ingress` without validating them against the `--service-external-ip-range` parameter. An attacker can bind arbitrary VIPs on all cluster nodes or cause denial of service to critical cluster services such as kube-dns. The `--service-external-ip-range` parameter is only used by the netpol module and is not checked by the proxy module. This allows attackers to potentially hijack traffic or disrupt DNS services. The vulnerability can be exploited by creating a Service with an externalIP matching the kube-dns ClusterIP, redirecting all DNS queries to attacker-controlled pods. The issue is not unique to kube-router, as the upstream Kubernetes project identified a similar issue as CVE-2020-8554. **Recommendations** Update to Kube-router version 2.8.0 or later.

**Name of the Vulnerable Software and Affected Versions** Nuclio versions prior to 1.15.20 **Description** Nuclio's Shell Runtime component contains a command injection issue. When a function is invoked via HTTP, the runtime reads the `X-Nuclio-Arguments` header and directly incorporates its value into shell commands without validation or sanitization. This allows attackers with function invocation permissions to inject malicious commands, potentially executing arbitrary code with root privileges in function containers, stealing ServiceAccount Tokens with cluster-admin level permissions, and ultimately gaining complete control over the Kubernetes cluster. The vulnerability stems from the lack of validation when processing user-supplied arguments in the `getCommandArguments` function and the subsequent execution of these arguments using `sh -c`. Attackers can exploit this by crafting malicious payloads in the `X-Nuclio-Arguments` header, leveraging shell metacharacters like semicolons, pipes, and backticks to inject arbitrary commands. The vulnerability affects all versions that include the Shell Runtime component. A successful exploit can lead to complete cluster compromise, including data breaches, supply chain attacks, and ransomware deployment. **Recommendations** Disable the Shell Runtime by setting `enabled: false` in the Nuclio platform configuration. Restrict function deployment permissions using Role-Based Access Control (RBAC) to limit who can deploy functions. Implement strict input validation in the `getCommandArguments` function to filter out unsafe characters. Remove the use of `sh -c` execution and use parameterized command execution instead. Limit the permissions of the ServiceAccount used by function pods to reduce the potential impact of a successful exploit.

**Name of the Vulnerable Software and Affected Versions** Kruise versions prior to 1.8.3 Kruise versions prior to 1.7.5 **Description** Kruise allows automated management of applications on Kubernetes. A flaw exists in the PodProbeMarker functionality where the webhook validation does not restrict the 'Host' field in custom probe configurations using TCPSocket or HTTPGet handlers. Because kruise-daemon runs with hostNetwork enabled, it executes probes from the node's network namespace. An attacker with permission to create PodProbeMarkers can specify arbitrary 'Host' values to trigger Server-Side Request Forgery (SSRF) from the node, perform port scanning, and receive response feedback through NodePodProbe status messages. The vulnerability allows access to node-local services, cloud metadata, and internal network resources. The `tcpSocket` probe remains vulnerable, while `httpGet` probes are rejected by the webhook in OpenKruise v1.8.0. The vulnerable component is the `PodProbeMarker` and the affected function is `newTCPSocketProber`. **Recommendations** Versions prior to 1.8.3: Update to version 1.8.3 or later. Versions prior to 1.7.5: Update to version 1.7.5 or later. Restrict PodProbeMarker creation permissions. Apply network policies limiting kruise-daemon egress traffic. Audit existing PodProbeMarker resources.

**Name of the Vulnerable Software and Affected Versions** Kargo versions 1.9.0 through 1.9.2 **Description** Kargo manages and automates the promotion of software artifacts. The authorization model includes a 'promote' verb intended to control access to promotion pipelines. While correctly enforced in the gRPC API, three endpoints in the REST API omit this check, relying solely on standard Kubernetes RBAC. This allows users with standard permissions, but without explicit 'promote' access, to bypass intended authorization boundaries. The affected **API Endpoints** are /v1beta1/projects/{project}/freight/{freight}/approve, /v1beta1/projects/{project}/stages/{stage}/promotions, and /v1beta1/projects/{project}/stages/{stage}/promotions/downstream. The issue stems from a missing authorization check for the 'promote' verb on these endpoints. **Recommendations** Upgrade to version 1.9.3 or later to resolve this issue.

**Name of the Vulnerable Software and Affected Versions** Kargo versions 1.7.0 through 1.7.7 Kargo version 1.8.11 Kargo version 1.9.3 **Description** Kargo manages and automates the promotion of software artifacts. The batch resource creation endpoints of both Kargo's legacy gRPC API and newer REST API accept multi-document YAML payloads. Specially crafted payloads can allow an attacker to inject arbitrary resources into the underlying namespace of an existing Project using the API server's own permissions when this behavior is not intended. This can be exploited to elevate permissions, potentially leading to remote code execution or secret exfiltration. Exfiltrated artifact repository credentials could be used for further attacks. In some Kubernetes cluster configurations, elevated permissions may enable remote code execution or secret exfiltration using `kubectl`. The **API Endpoints** affected are the batch resource creation endpoints of both the legacy gRPC API and the newer REST API. The issue stems from the logic within these endpoints when processing multi-document YAML payloads. An attacker can leverage this to inject resources into existing Projects. **Recommendations** Update to Kargo version 1.7.8 or later. Update to Kargo version 1.8.11. Update to Kargo version 1.9.3 or later.

**Name of the Vulnerable Software and Affected Versions** Yoke versions 0.19.0 and earlier **Description** Yoke's Air Traffic Controller (ATC) component contains a flaw that allows users with Custom Resource (CR) create/update permissions to execute arbitrary WASM code. This is achieved by injecting a malicious URL through the `overrides.yoke.cd/flight` annotation. The ATC controller downloads and executes the WASM module without validating the URL, potentially enabling attackers to create arbitrary Kubernetes resources or escalate privileges. The vulnerability resides in the handling of the `overrides.yoke.cd/flight` annotation, where the controller directly uses the user-provided URL without proper validation. The permission check only verifies `update` permission on `airways` resources, failing to prevent the execution of arbitrary WASM code. A Proof of Concept (PoC) demonstrates the creation of a malicious WASM module that creates a ConfigMap named `stolen-credentials` in the cluster, proving arbitrary code execution. The vulnerability is categorized as Remote Code Execution (RCE) / Code Injection. Attackers with CR create/update permissions and network access to host malicious WASM can exploit this issue. The impact includes potential compromise of confidentiality, integrity, and availability. **Recommendations** Versions prior to 0.19.0: Disable the annotation override feature by removing or disabling the `overrides.yoke.cd/flight` annotation processing in production environments. Versions prior to 0.19.0: Restrict the ATC controller's outbound network access to prevent downloading external WASM modules. Versions prior to 0.19.0: Limit CR create/update permissions to trusted users only. Versions prior to 0.19.0: Deploy a validating webhook to reject CRs with `overrides.yoke.cd/flight` annotations.

**Name of the Vulnerable Software and Affected Versions** Yoke versions 0.18.x and earlier **Description** The Air Traffic Controller (ATC) component of Yoke lacks proper authentication mechanisms for its webhook endpoints. This allows any pod within the cluster network to send AdmissionReview requests directly to the webhook, bypassing Kubernetes API Server authentication. Attackers can exploit this to trigger WASM module execution in the ATC controller context without authorization. The vulnerable endpoints include '/validations/{airway}', '/validations/resources', '/validations/flights.yoke.cd', '/validations/airways.yoke.cd', and '/crdconvert/{airway}'. The issue stems from the absence of TLS client certificate verification, request source validation, or any form of authentication middleware in the HTTP handler implementation. An attacker can send crafted AdmissionReview requests to these endpoints, potentially leading to unauthorized WASM execution and, combined with other issues, the creation of arbitrary Kubernetes resources. The impact includes potential confidentiality, integrity, and availability concerns. **Recommendations** Versions prior to 0.19.0: Deploy a NetworkPolicy to restrict access to the ATC service, allowing only kube-apiserver to connect. Versions prior to 0.19.0: Use a service mesh (Istio, Linkerd) to enforce mTLS between services. Versions prior to 0.19.0: Implement strict pod security policies to limit which pods can be created in the cluster.

**Name of the Vulnerable Software and Affected Versions** Devtron versions prior to 2.0.0 **Description** Devtron is a tool integration platform for Kubernetes. A flaw exists in the Attributes API interface that allows authenticated users to obtain the global API Token signing key by accessing the `/orchestrator/attributes?key=apiTokenSecret` endpoint. Obtaining this key enables attackers to forge JWT tokens for arbitrary user identities offline, potentially granting complete control over the Devtron platform and allowing lateral movement to the underlying Kubernetes cluster. The issue was addressed with commit d2b0d26. **Recommendations** Update to a version later than 2.0.0.

**Name of the Vulnerable Software and Affected Versions** Podman Desktop versions prior to 1.25.1 **Description** Podman Desktop is a graphical tool for developing on containers and Kubernetes. A critical authentication bypass allows any extension to circumvent permission checks and gain unauthorized access to all authentication sessions. The `isAccessAllowed()` function unconditionally returns `true`, enabling malicious extensions to impersonate any user, hijack authentication sessions, and access sensitive resources without authorization. **Recommendations** Update Podman Desktop to version 1.25.1 or later.