CVE-2023-44392

Arbitrary code execution vulnerability when using shared Kubernetes cluster

Severity Score

9.0

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track*

*SSVC

Descriptions

Garden provides automation for Kubernetes development and testing. Prior tov ersions 0.13.17 and 0.12.65, Garden has a dependency on the cryo library, which is vulnerable to code injection due to an insecure implementation of deserialization. Garden stores serialized objects using cryo in the Kubernetes `ConfigMap` resources prefixed with `test-result` and `run-result` to cache Garden test and run results. These `ConfigMaps` are stored either in the `garden-system` namespace or the configured user namespace. When a user invokes the command `garden test` or `garden run` objects stored in the `ConfigMap` are retrieved and deserialized. This can be used by an attacker with access to the Kubernetes cluster to store malicious objects in the `ConfigMap`, which can trigger a remote code execution on the users machine when cryo deserializes the object. In order to exploit this vulnerability, an attacker must have access to the Kubernetes cluster used to deploy garden remote environments. Further, a user must actively invoke either a `garden test` or `garden run` which has previously cached results. The issue has been patched in Garden versions `0.13.17` (Bonsai) and `0.12.65` (Acorn). Only Garden versions prior to these are vulnerable. No known workarounds are available.

Garden proporciona automatización para el desarrollo y las pruebas de Kubernetes. Antes de las versiones 0.13.17 y 0.12.65, Garden dependía de cryo library, que es vulnerable a la inyección de código debido a una implementación insegura de la deserialización. Garden almacena objetos serializados usando cryo en los recursos `ConfigMap` de Kubernetes con el prefijo `test-result` y `run-result` para almacenar en caché los resultados de la prueba y ejecución de Garden. Estos `ConfigMaps` se almacenan en el espacio de nombres `garden-system` o en el espacio de nombres de usuario configurado. Cuando un usuario invoca el comando "garden test" o "garden run", los objetos almacenados en "ConfigMap" se recuperan y deserializan. Esto puede ser utilizado por un atacante con acceso al clúster de Kubernetes para almacenar objetos maliciosos en el "ConfigMap", lo que puede desencadenar una ejecución remota de código en la máquina del usuario cuando cryo deserializa el objeto. Para aprovechar esta vulnerabilidad, un atacante debe tener acceso al clúster de Kubernetes utilizado para implementar entornos remotos de garden. Además, un usuario debe invocar activamente una "garden test" o una "garden run" que previamente haya almacenado en caché los resultados. El problema se solucionó en las versiones de Garden `0.13.17` (Bonsai) y `0.12.65` (Acorn). Sólo las versiones Garden anteriores a estas son vulnerables. No hay workarounds conocidos disponibles.

*Credits: N/A

CVSS Scores

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Low

Authentication

Single

Confidentiality

Complete

Integrity

Complete

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:Track*

Exploitation

None

Automatable

Tech. Impact

Total

* Organization's Worst-case Scenario

Timeline

2023-09-28 CVE Reserved
2023-10-09 CVE Published
2024-09-18 CVE Updated
2024-12-17 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-94: Improper Control of Generation of Code ('Code Injection')
CWE-502: Deserialization of Untrusted Data

CAPEC

References (2)

URL	Tag	Source

URL	Date	SRC

URL	Date	SRC
https://github.com/garden-io/garden/commit/3117964da40d3114f129a6131b4ada89eaa4eb8c	2023-10-16

URL	Date	SRC
https://github.com/garden-io/garden/security/advisories/GHSA-hm75-6vc9-8rpr	2023-10-16

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Garden Search vendor "Garden"		Garden Search vendor "Garden" for product "Garden"				< 0.12.65 Search vendor "Garden" for product "Garden" and version " < 0.12.65"		kubernetes		Affected
Garden Search vendor "Garden"		Garden Search vendor "Garden" for product "Garden"				>= 0.13.0 < 0.13.17 Search vendor "Garden" for product "Garden" and version " >= 0.13.0 < 0.13.17"		kubernetes		Affected