CVE-2023-37264: Tekton Pipeline Vulnerability Impact on Shipwright #1346
Labels
kind/bug
Categorizes issue or PR as related to a bug.
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
CVE-2023-37264: Tekton Pipeline Vulnerability Impact on Shipwright
Tekton Pipelines, starting with v0.35.0, has a flaw that allows the recorded reference of its child TaskRuns to be modified. Similar logic is employed to record the child Pod reference on the TaskRun - in theory, Shipwright is similarly at risk because each BuildRun generates a child TaskRun.
There is currently no patch to fix this in Tekton Pipelines - tektoncd/pipeline#6909 has been opened to track the remediation of this vulnerability.
Impact
A malicious user with permissions to edit Tekton TaskRuns could trick Shipwright into thinking that a "good pod" built a container image, when in fact a malicious build the image instead. A proof of concept of this attack has not been demonstrated (yet).
Mitigation
Use principle of least privilege when granting service accounts permission to update/patch Tekton TaskRuns. Per the initial vulnerability report: " If users already have unrestricted access to create any Task/PipelineRun, this does not grant any additional capabilities." (emphasis by author).
References
/kind bug
The text was updated successfully, but these errors were encountered: