Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

x/vulndb: potential Go vuln in github.com/garden-io/garden: CVE-2023-44392 #2105

Closed
GoVulnBot opened this issue Oct 9, 2023 · 2 comments
Closed

x/vulndb: potential Go vuln in github.com/garden-io/garden: CVE-2023-44392 #2105

GoVulnBot opened this issue Oct 9, 2023 · 2 comments
Assignees
@jba
Labels
excluded: NOT_GO_CODE This vulnerability does not refer to a Go module.

Comments

@GoVulnBot
Copy link

CVE-2023-44392 references github.com/garden-io/garden, which may be a Go module.

Description:
Garden provides automation for Kubernetes development and testing. Prior tov ersions 0.13.17 and 0.12.65, Garden has a dependency on the cryo library, which is vulnerable to code injection due to an insecure implementation of deserialization. Garden stores serialized objects using cryo in the Kubernetes ConfigMap resources prefixed with test-result and run-result to cache Garden test and run results. These ConfigMaps are stored either in the garden-system namespace or the configured user namespace. When a user invokes the command garden test or garden run objects stored in the ConfigMap are retrieved and deserialized. This can be used by an attacker with access to the Kubernetes cluster to store malicious objects in the ConfigMap, which can trigger a remote code execution on the users machine when cryo deserializes the object. In order to exploit this vulnerability, an attacker must have access to the Kubernetes cluster used to deploy garden remote environments. Further, a user must actively invoke either a garden test or garden run which has previously cached results. The issue has been patched in Garden versions 0.13.17 (Bonsai) and 0.12.65 (Acorn). Only Garden versions prior to these are vulnerable. No known workarounds are available.

References:

Cross references:
No existing reports found with this module or alias.

See doc/triage.md for instructions on how to triage this report.

modules:
    - module: github.com/garden-io/garden
      vulnerable_at: 0.12.3
      packages:
        - package: garden
cves:
    - CVE-2023-44392
references:
    - advisory: https://github.com/garden-io/garden/security/advisories/GHSA-hm75-6vc9-8rpr
    - fix: https://github.com/garden-io/garden/commit/3117964da40d3114f129a6131b4ada89eaa4eb8c
@jba jba self-assigned this Oct 11, 2023
@jba jba added excluded: EFFECTIVELY_PRIVATE This vulnerability exists in a package can be imported, but isn't meant to be outside that module. excluded: NOT_GO_CODE This vulnerability does not refer to a Go module. and removed excluded: EFFECTIVELY_PRIVATE This vulnerability exists in a package can be imported, but isn't meant to be outside that module. labels Oct 11, 2023
@jba
Copy link
Contributor

jba commented Oct 11, 2023

Also, it's a tool.

@gopherbot
Copy link
Contributor

Change https://go.dev/cl/535696 mentions this issue: data/excluded: batch add 5 excluded reports

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jba jba

Labels
excluded: NOT_GO_CODE This vulnerability does not refer to a Go module.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@gopherbot @jba @GoVulnBot