CVE-2023-37264

CVSS 3.1 Score 4.3 of 10 (medium)

Details

Published Jul 7, 2023

Updated: Jul 18, 2023

CWE ID 345

Summary

CVE-2023-37264 is a vulnerability in Tekton Pipelines, a CI/CD tool that allows declaring pipelines with k8s-style resources. Starting from version 0.35.0, pipelines fail to validate child UIDs, enabling users with access to create TaskRuns to produce their own Tasks that the Pipeline controller accepts as legitimate children. The controller identifies these runs based on the pipeline's name and owner reference, but only stores the api version and kind in the child status reference. This discrepancy can lead to unauthorized modifications of pipeline configurations, associating unrelated runs to pipelines, and feeding false data through the pipeline. Access to create TaskRuns is required for exploitation, and the impact varies depending on specific Tekton setups. Unfortunately, there are currently no known patches to address this issue.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.

Share

Affected Vendors

Linux Foundation

Advisories, Assessments, and Mitigations

Prioritize, Pinpoint, and Act to Prevent Vulnerability Exploits with Recorded Future

Note: This is just a basic overview providing quick insights into CVE-2023-37264 information. Gain full access to comprehensive CVE data, third party vulnerabilities, compromised credentials and more with Recorded Future

Gain complete coverage of your cyber, third party, and physical attack surface
Proactively mitigate threats before they turn into costly attacks
Make fast, effective, data-driven decisions

Book your demo

Sign in

Back to Vulnerability Database