CVSS: 9.0EPSS: 0%CPEs: 2EXPL: 0CVE-2023-44392 – Arbitrary code execution vulnerability when using shared Kubernetes cluster
https://notcve.org/view.php?id=CVE-2023-44392
09 Oct 2023 — Garden provides automation for Kubernetes development and testing. Prior tov ersions 0.13.17 and 0.12.65, Garden has a dependency on the cryo library, which is vulnerable to code injection due to an insecure implementation of deserialization. Garden stores serialized objects using cryo in the Kubernetes `ConfigMap` resources prefixed with `test-result` and `run-result` to cache Garden test and run results. These `ConfigMaps` are stored either in the `garden-system` namespace or the configured user namespace... • https://github.com/garden-io/garden/commit/3117964da40d3114f129a6131b4ada89eaa4eb8c • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-502: Deserialization of Untrusted Data •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2015-5350
https://notcve.org/view.php?id=CVE-2015-5350
19 Mar 2018 — In Garden versions 0.22.0-0.329.0, a vulnerability has been discovered in the garden-linux nstar executable that allows access to files on the host system. By staging an application on Cloud Foundry using Diego and Garden installations with a malicious custom buildpack an end user could read files on the host system that the BOSH-created vcap user has permissions to read and then package them into their app droplet. De las versiones 0.22.0-0.329.0 de Garden, se ha descubierto una vulnerabilidad en el ejecut... • https://pivotal.io/security/cve-2015-5350 • CWE-284: Improper Access Control •