CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 1CVE-2023-37264 – Pipelines do not validate child UIDs
https://notcve.org/view.php?id=CVE-2023-37264
07 Jul 2023 — Tekton Pipelines project provides k8s-style resources for declaring CI/CD-style pipelines. Starting in version 0.35.0, pipelines do not validate child UIDs, which means that a user that has access to create TaskRuns can create their own Tasks that the Pipelines controller will accept as the child Task. While the software stores and validates the PipelineRun's (api version, kind, name, uid) in the child Run's OwnerReference, it only store (api version, kind, name) in the ChildStatusReference. This means that... • https://github.com/tektoncd/pipeline/blob/2d38f5fa840291395178422d34b36b1bc739e2a2/pkg/reconciler/pipelinerun/pipelinerun.go#L1358-L1372 • CWE-345: Insufficient Verification of Data Authenticity •