CVE-2023-23939 – Azure/setup-kubectl: Escalation of privilege vulnerability for v3 and lower

https://notcve.org/view.php?id=CVE-2023-23939

06 Mar 2023 — Azure/setup-kubectl is a GitHub Action for installing Kubectl. This vulnerability only impacts versions before version 3. An insecure temporary creation of a file allows other actors on the Actions runner to replace the Kubectl binary created by this action because it is world writable. This Kubectl tool installer runs `fs.chmodSync(kubectlPath, 777)` to set permissions on the Kubectl binary, however, this allows any local user to replace the Kubectl binary. This allows privilege escalation to the user that... • https://github.com/Azure/setup-kubectl/commit/d449d75495d2b9d1463555bb00ca3dca77a42ab6 • CWE-732: Incorrect Permission Assignment for Critical Resource •