Lixingquzhi

**Name of the Vulnerable Software and Affected Versions** KubePlus version 4.14 **Description** The '/registercrd' endpoint in the kubeconfiggenerator component is susceptible to command injection. The issue occurs because the component utilizes the `subprocess.Popen()` function with the `shell=True` parameter to execute shell commands, directly concatenating the user-supplied `chartName` parameter into the command string without proper sanitization or validation. This allows an attacker to execute arbitrary shell commands by providing a malicious value for the `chartName` variable. **Recommendations** As a temporary workaround, avoid using the `chartName` parameter in the '/registercrd' endpoint until a fix is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** SchemaHero version 0.23.0 **Description** A SQL Injection issue exists in SchemaHero version 0.23.0. The issue is located in the `columnAsInsert` function within the `plugins/postgres/lib/column.go` file, specifically through the `column` parameter. The vulnerability allows for potential manipulation of SQL queries through the `column` parameter. **Recommendations** Update to a newer version of SchemaHero that addresses this issue. As a temporary workaround, consider restricting access to the `columnAsInsert` function or carefully validating the `column` parameter before use.

**Name of the Vulnerable Software and Affected Versions** Yoke versions 0.18.x and earlier **Description** The Air Traffic Controller (ATC) component of Yoke lacks proper authentication mechanisms for its webhook endpoints. This allows any pod within the cluster network to send AdmissionReview requests directly to the webhook, bypassing Kubernetes API Server authentication. Attackers can exploit this to trigger WASM module execution in the ATC controller context without authorization. The vulnerable endpoints include '/validations/{airway}', '/validations/resources', '/validations/flights.yoke.cd', '/validations/airways.yoke.cd', and '/crdconvert/{airway}'. The issue stems from the absence of TLS client certificate verification, request source validation, or any form of authentication middleware in the HTTP handler implementation. An attacker can send crafted AdmissionReview requests to these endpoints, potentially leading to unauthorized WASM execution and, combined with other issues, the creation of arbitrary Kubernetes resources. The impact includes potential confidentiality, integrity, and availability concerns. **Recommendations** Versions prior to 0.19.0: Deploy a NetworkPolicy to restrict access to the ATC service, allowing only kube-apiserver to connect. Versions prior to 0.19.0: Use a service mesh (Istio, Linkerd) to enforce mTLS between services. Versions prior to 0.19.0: Implement strict pod security policies to limit which pods can be created in the cluster.

**Name of the Vulnerable Software and Affected Versions** Yoke versions 0.19.0 and earlier **Description** Yoke's Air Traffic Controller (ATC) component contains a flaw that allows users with Custom Resource (CR) create/update permissions to execute arbitrary WASM code. This is achieved by injecting a malicious URL through the `overrides.yoke.cd/flight` annotation. The ATC controller downloads and executes the WASM module without validating the URL, potentially enabling attackers to create arbitrary Kubernetes resources or escalate privileges. The vulnerability resides in the handling of the `overrides.yoke.cd/flight` annotation, where the controller directly uses the user-provided URL without proper validation. The permission check only verifies `update` permission on `airways` resources, failing to prevent the execution of arbitrary WASM code. A Proof of Concept (PoC) demonstrates the creation of a malicious WASM module that creates a ConfigMap named `stolen-credentials` in the cluster, proving arbitrary code execution. The vulnerability is categorized as Remote Code Execution (RCE) / Code Injection. Attackers with CR create/update permissions and network access to host malicious WASM can exploit this issue. The impact includes potential compromise of confidentiality, integrity, and availability. **Recommendations** Versions prior to 0.19.0: Disable the annotation override feature by removing or disabling the `overrides.yoke.cd/flight` annotation processing in production environments. Versions prior to 0.19.0: Restrict the ATC controller's outbound network access to prevent downloading external WASM modules. Versions prior to 0.19.0: Limit CR create/update permissions to trusted users only. Versions prior to 0.19.0: Deploy a validating webhook to reject CRs with `overrides.yoke.cd/flight` annotations.