Shai Dvash

**Name of the Vulnerable Software and Affected Versions** Windmill versions prior to 1.703.2 **Description** Incorrect default permissions in nsjail sandbox configuration files allow the `/etc` directory to be bind-mounted without read-write restrictions. This enables authenticated users to write arbitrary entries to `/etc/hosts`, `/etc/resolv.conf`, and `/etc/ssl/certs/ca-certificates.crt` during script execution. Attackers can create persistent poisoned entries on worker pods to redirect hostnames, intercept DNS queries, perform transparent HTTPS man-in-the-middle attacks, and intercept `WM TOKEN` JWTs to obtain workspace-admin access to victim workspaces across different tenants. **Recommendations** Update to version 1.703.2.