Impact
Some versions of Tekton Dashboard prior to v0.25.0 are missing Origin header validation on WebSocket connection upgrade requests. Tekton Dashboard uses the WebSocket protocol to provide real-time updates for TaskRuns, PipelineRuns, and other Tekton data. The endpoints responsible for upgrading the incoming HTTP request to a WebSocket request in the affected versions did not validate the Origin header to ensure that the request was coming from a trusted origin (i.e. the Dashboard itself). As a result, malicious web pages could connect to Tekton Dashboard and receive these real-time updates.
Patches
Origin validation has been added in #2333 which is released under v0.25.0 and has also been back-ported to versions v0.22.1, v0.23.1, and v0.24.2.
References
For more information
If you have any questions or comments about this advisory:
Impact
Some versions of Tekton Dashboard prior to v0.25.0 are missing Origin header validation on WebSocket connection upgrade requests. Tekton Dashboard uses the WebSocket protocol to provide real-time updates for
TaskRuns,PipelineRuns, and other Tekton data. The endpoints responsible for upgrading the incoming HTTP request to a WebSocket request in the affected versions did not validate the Origin header to ensure that the request was coming from a trusted origin (i.e. the Dashboard itself). As a result, malicious web pages could connect to Tekton Dashboard and receive these real-time updates.Patches
Origin validation has been added in #2333 which is released under v0.25.0 and has also been back-ported to versions v0.22.1, v0.23.1, and v0.24.2.
References
For more information
If you have any questions or comments about this advisory: