CVE-2023-37264

CVSS 3.1 Score 4.3 of 10 (medium)

Details

Published Jul 7, 2023
Updated: Jul 18, 2023
CWE ID 345

Summary

CVE-2023-37264 is a vulnerability in Tekton Pipelines, a CI/CD tool that allows declaring pipelines with k8s-style resources. Starting from version 0.35.0, pipelines fail to validate child UIDs, enabling users with access to create TaskRuns to produce their own Tasks that the Pipeline controller accepts as legitimate children. The controller identifies these runs based on the pipeline's name and owner reference, but only stores the api version and kind in the child status reference. This discrepancy can lead to unauthorized modifications of pipeline configurations, associating unrelated runs to pipelines, and feeding false data through the pipeline. Access to create TaskRuns is required for exploitation, and the impact varies depending on specific Tekton setups. Unfortunately, there are currently no known patches to address this issue.

Ligh bulbPrevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.

Share