CVE-2022-41939

2022-11-1901:15:13

CWE-200

[email protected]

web.nvd.nist.gov

cve-2022-41939

knative.dev/func

kubernetes

security

buildpacks

docker socket

lifecycle container

nvd

pr #1442

release 1.8.1

7.4 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N

0.001 Low

EPSS

Percentile

43.4%

JSON

knative.dev/func is is a client library and CLI enabling the development and deployment of Kubernetes functions. Developers using a malicious or compromised third-party buildpack could expose their registry credentials or local docker socket to a malicious lifecycle container. This issues has been patched in PR #1442, and is part of release 1.8.1. This issue only affects users who are using function buildpacks from third-parties; pinning the builder image to a specific content-hash with a valid lifecycle image will also mitigate the attack.

Affected configurations

Vulners

NVD

Node

knativeservingRange<1.8.1

VendorProductVersionCPE
knativeserving*cpe:2.3:a:knative:serving:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
knative	serving	*	cpe:2.3:a:knative:serving::::::::

CNA Affected

[
  {
    "vendor": "knative",
    "product": "func",
    "versions": [
      {
        "version": "< 1.8.1",
        "status": "affected"
      }
    ]
  }
]