CVE-2023-44392

Name of the Vulnerable Software and Affected Versions Garden versions prior to 0.13.17 Garden versions prior to 0.12.65

Description Garden has a dependency on the cryo library, which is vulnerable to code injection due to an insecure implementation of deserialization. Garden stores serialized objects using cryo in the Kubernetes ConfigMap resources prefixed with test-result and run-result to cache Garden test and run results. These ConfigMaps are stored either in the garden-system namespace or the configured user namespace. When a user invokes the command garden test or garden run, objects stored in the ConfigMap are retrieved and deserialized. This can be used by an attacker with access to the Kubernetes cluster to store malicious objects in the ConfigMap, which can trigger a remote code execution on the user's machine when cryo deserializes the object. In order to exploit this issue, an attacker must have access to the Kubernetes cluster used to deploy garden remote environments. Further, a user must actively invoke either a garden test or garden run which has previously cached results.

Recommendations To resolve the issue, update to Garden version 0.13.17 or later. To resolve the issue, update to Garden version 0.12.65 or later. As a temporary workaround, consider restricting access to the garden-system namespace and the configured user namespace to minimize the risk of exploitation. Avoid using the garden test and garden run commands with previously cached results until the issue is resolved.