CVSS: 9.0EPSS: 0%CPEs: 2EXPL: 0CVE-2023-44392 – Arbitrary code execution vulnerability when using shared Kubernetes cluster
https://notcve.org/view.php?id=CVE-2023-44392
09 Oct 2023 — Garden provides automation for Kubernetes development and testing. Prior tov ersions 0.13.17 and 0.12.65, Garden has a dependency on the cryo library, which is vulnerable to code injection due to an insecure implementation of deserialization. Garden stores serialized objects using cryo in the Kubernetes `ConfigMap` resources prefixed with `test-result` and `run-result` to cache Garden test and run results. These `ConfigMaps` are stored either in the `garden-system` namespace or the configured user namespace... • https://github.com/garden-io/garden/commit/3117964da40d3114f129a6131b4ada89eaa4eb8c • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-502: Deserialization of Untrusted Data •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-24829 – Missing authentication in Garden
https://notcve.org/view.php?id=CVE-2022-24829
11 Apr 2022 — Garden is an automation platform for Kubernetes development and testing. In versions prior to 0.12.39 multiple endpoints did not require authentication. In some operating modes this allows for an attacker to gain access to the application erroneously. The configuration is leaked through the /api endpoint on the local server that is responsible for serving the Garden dashboard. At the moment, this server is accessible to 0.0.0.0 which makes it accessible to anyone on the same network (or anyone on the intern... • https://github.com/garden-io/garden/commit/56051a5b50409227bc420910da88ed156a6e432b • CWE-306: Missing Authentication for Critical Function •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2015-5350
https://notcve.org/view.php?id=CVE-2015-5350
19 Mar 2018 — In Garden versions 0.22.0-0.329.0, a vulnerability has been discovered in the garden-linux nstar executable that allows access to files on the host system. By staging an application on Cloud Foundry using Diego and Garden installations with a malicious custom buildpack an end user could read files on the host system that the BOSH-created vcap user has permissions to read and then package them into their app droplet. De las versiones 0.22.0-0.329.0 de Garden, se ha descubierto una vulnerabilidad en el ejecut... • https://pivotal.io/security/cve-2015-5350 • CWE-284: Improper Access Control •