CVE-2023-44392 – Arbitrary code execution vulnerability when using shared Kubernetes cluster
https://notcve.org/view.php?id=CVE-2023-44392
Garden provides automation for Kubernetes development and testing. Prior tov ersions 0.13.17 and 0.12.65, Garden has a dependency on the cryo library, which is vulnerable to code injection due to an insecure implementation of deserialization. Garden stores serialized objects using cryo in the Kubernetes `ConfigMap` resources prefixed with `test-result` and `run-result` to cache Garden test and run results. These `ConfigMaps` are stored either in the `garden-system` namespace or the configured user namespace. When a user invokes the command `garden test` or `garden run` objects stored in the `ConfigMap` are retrieved and deserialized. • https://github.com/garden-io/garden/commit/3117964da40d3114f129a6131b4ada89eaa4eb8c https://github.com/garden-io/garden/security/advisories/GHSA-hm75-6vc9-8rpr • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-502: Deserialization of Untrusted Data •
CVE-2022-24829 – Missing authentication in Garden
https://notcve.org/view.php?id=CVE-2022-24829
Garden is an automation platform for Kubernetes development and testing. In versions prior to 0.12.39 multiple endpoints did not require authentication. In some operating modes this allows for an attacker to gain access to the application erroneously. The configuration is leaked through the /api endpoint on the local server that is responsible for serving the Garden dashboard. At the moment, this server is accessible to 0.0.0.0 which makes it accessible to anyone on the same network (or anyone on the internet if they are on a public, static IP). • https://github.com/garden-io/garden/commit/56051a5b50409227bc420910da88ed156a6e432b https://github.com/garden-io/garden/security/advisories/GHSA-f5f3-qrqw-2vqf • CWE-306: Missing Authentication for Critical Function •
CVE-2015-5350
https://notcve.org/view.php?id=CVE-2015-5350
In Garden versions 0.22.0-0.329.0, a vulnerability has been discovered in the garden-linux nstar executable that allows access to files on the host system. By staging an application on Cloud Foundry using Diego and Garden installations with a malicious custom buildpack an end user could read files on the host system that the BOSH-created vcap user has permissions to read and then package them into their app droplet. De las versiones 0.22.0-0.329.0 de Garden, se ha descubierto una vulnerabilidad en el ejecutable nstar de garden-linux que permite el acceso a archivos en el sistema host. Al almacenar provisionalmente una aplicación en Cloud Foundry empleando las instalaciones Diego y Garden con un buildpack personalizado malicioso, un usuario final podría leer archivos en el sistema host que el usuario vcap creado por BOSH tiene permisos para leer y, a continuación, empaquetarlos en su aplicación droplet. • https://pivotal.io/security/cve-2015-5350 • CWE-284: Improper Access Control •