CVE-2023-37264
CVSS 3.1 Score 4.3 of 10 (medium)
Details
Summary
CVE-2023-37264 is a vulnerability in Tekton Pipelines, a CI/CD tool that allows declaring pipelines with k8s-style resources. Starting from version 0.35.0, pipelines fail to validate child UIDs, enabling users with access to create TaskRuns to produce their own Tasks that the Pipeline controller accepts as legitimate children. The controller identifies these runs based on the pipeline's name and owner reference, but only stores the api version and kind in the child status reference. This discrepancy can lead to unauthorized modifications of pipeline configurations, associating unrelated runs to pipelines, and feeding false data through the pipeline. Access to create TaskRuns is required for exploitation, and the impact varies depending on specific Tekton setups. Unfortunately, there are currently no known patches to address this issue.
Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.
Affected Vendors
- Linux Foundation
Advisories, Assessments, and Mitigations
Prioritize, Pinpoint, and Act to Prevent Vulnerability Exploits with Recorded Future
- Gain complete coverage of your cyber, third party, and physical attack surface
- Proactively mitigate threats before they turn into costly attacks
- Make fast, effective, data-driven decisions