Lucene search

[email protected]NVD:CVE-2022-41939

HistoryNov 19, 2022 - 1:15 a.m.

CVE-2022-41939

2022-11-1901:15:13

CWE-200

[email protected]

web.nvd.nist.gov

knative.dev/func

kubernetes functions

third-party buildpack

registry credentials

docker socket

patched

pr #1442

vulnerability

release 1.8.1

mitigation

7.4 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N

0.001 Low

EPSS

Percentile

43.4%

JSON

knative.dev/func is is a client library and CLI enabling the development and deployment of Kubernetes functions. Developers using a malicious or compromised third-party buildpack could expose their registry credentials or local docker socket to a malicious lifecycle container. This issues has been patched in PR #1442, and is part of release 1.8.1. This issue only affects users who are using function buildpacks from third-parties; pinning the builder image to a specific content-hash with a valid lifecycle image will also mitigate the attack.

Affected configurations

NVD

Node

linuxfoundationknative_funcRange<1.8.1

References

github.com/knative/func/blob/5ca77d38744d3481cc0b795f607c5859b19588fc/buildpacks/builder.go#L37-L41

github.com/knative/func/pull/1442

github.com/knative/func/releases/tag/knative-v1.8.1

github.com/knative/func/security/advisories/GHSA-5336-2g3f-9g3m

7.4 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N

0.001 Low

EPSS

Percentile

43.4%

JSON

Related for NVD:CVE-2022-41939

veracode1 prion1 cvelist1 cve1 osv1