You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
As part of the Spring Boot watcher functionality, JKube executes a second Java process. The
command line for this process is crafted in an unsafe way, by interpolating an arbitrary
secret in the command line. This command line is then tokenized by separating on spaces.
If the secret contains spaces, this can allow an attacker to add arbitrary arguments and
command line flags and modify the behavior of this command execution.
Description
Mirror of
TOB-JKUBE-2
.As part of the Spring Boot watcher functionality, JKube executes a second Java process. The
command line for this process is crafted in an unsafe way, by interpolating an arbitrary
secret in the command line. This command line is then tokenized by separating on spaces.
If the secret contains spaces, this can allow an attacker to add arbitrary arguments and
command line flags and modify the behavior of this command execution.
https://github.com/eclipse/jkube/blob/12edf4a2f947ad1e0b2b44d8317a6052097f93af/jkube-kit/jkube-kit-spring-boot/src/main/java/org/eclipse/jkube/springboot/watcher/SpringBootWatcher.java#L163-L166
The text was updated successfully, but these errors were encountered: