Fission 访问控制错误漏洞

Fission is an open-source function deployment framework based on Kubernetes. Versions of Fission prior to 1.23.0 contained a access control vulnerability. This vulnerability stemmed from routers registering internal routes for each Function object, allowing any caller who has access to the router...

Claude Code GitHub Action Flaw Let One Malicious Issue Hijack Repositories

A security researcher found a flaw in Anthropic's Claude Code GitHub Action that let an attacker take over vulnerable public repositories running it, with nothing more than a single opened GitHub issue. Because Anthropic's own action repo used the same workflow, a working attack could have pushed...

Fission router exposes /fission-function/<ns>/<name> on its public listener, allowing invocation of any function without an HTTPTrigger

Summary The Fission router registers an internal-style route — /fission-function/ and /fission-function// — for every Function object, independent of whether any HTTPTrigger exists for that function. The route was mounted on the same listener as user-defined HTTPTriggers svc/router, port 8888, so...