Lucene search
K
LinuxfoundationTekton Pipelines

8 matches found

CVE
CVE
added 2023/07/07 4:23 p.m.2502 views

CVE-2023-37264

CVE-2023-37264 affects Tekton Pipelines: starting from 0.35.0, the Pipelines controller does not validate child TaskRun UIDs, allowing a user who can create TaskRuns to subvert ownership checks by creating a child TaskRun with the same name/owner reference. This can lead to the Pipeline controlle...

4.3CVSS4.2AI score0.00318EPSS
CVE
CVE
added 2026/04/21 4:5 p.m.23 views

CVE-2026-25542

Tekton Pipelines CVE-2026-25542 affects versions 0.43.0–1.11.0. The vulnerability arises because trusted resources verification policies compare refSource.URI against spec.resources[].pattern using Go’s regexp.MatchString, which reports a match if the pattern appears anywhere in the string. Unanc...

6.5CVSS5.8AI score0.00264EPSS
CVE
CVE
added 2026/04/21 8:47 p.m.21 views

CVE-2026-40924

CVE-2026-40924 – Tekton Pipelines HTTP Resolver Unbounded Read Leads to DoS . The vulnerability affects Tekton Pipelines where, prior to 1.11.1, the HTTP resolver’s FetchHttpResource calls io.ReadAll on resp.Body with no size limit. A tenant with permission to create TaskRuns or PipelineRuns refe...

6.5CVSS5.9AI score0.00318EPSS
CVE
CVE
added 2026/04/21 8:45 p.m.19 views

CVE-2026-40938

The CVE concerns Tekton Pipelines’ git resolver (1.0.0–1.10.x) where the revision parameter is passed to git fetch as a positional argument without validating it does not start with a dash. An attacker can inject git fetch flags (e.g., --upload-pack=) because git treats mixed positional arguments...

8.5CVSS6.4AI score0.00788EPSS
CVE
CVE
added 2026/03/23 11:55 p.m.17 views

CVE-2026-33211

CVE-2026-33211 (Tekton Pipelines git resolver path traversal) Affected: Tekton Pipelines prior to 1.0.1, 1.3.3, 1.6.1, 1.9.2, and 1.10.2. An attacker with permission to create ResolutionRequests (e.g., via TaskRuns/PipelineRuns using the git resolver) can exploit pathInRepo to read arbitrary file...

9.6CVSS5.9AI score0.00573EPSS
CVE
CVE
added 2026/04/21 8:50 p.m.15 views

CVE-2026-40923

CVE-2026-40923 affects Tekton Pipelines. Before v1.11.1, a validation bypass in the VolumeMount path restriction lets mounting volumes under restricted /tekton/ paths by exploiting .. path traversal components. The check relies on strings.HasPrefix instead of filepath.Clean, allowing inputs like ...

5.4CVSS5.8AI score0.0022EPSS
CVE
CVE
added 2026/03/20 7:48 a.m.13 views

CVE-2026-33022

CVE-2026-33022 (Tekton Pipelines) causes a denial-of-service by allowing any user who can create a TaskRun or PipelineRun to crash the controller cluster-wide when .spec.taskRef.resolver or .spec.pipelineRef.resolver is set to a 31+ character string. The crash stems from GenerateDeterministicName...

6.5CVSS5.8AI score0.00368EPSS
CVE
CVE
added 2026/04/21 4:26 p.m.13 views

CVE-2026-40161

Summary: Tekton Pipelines before 1.10.0, specifically the git resolver in API mode, can exfiltrate system-configured Git tokens when the token parameter is omitted. Affected software: Tekton Pipelines git resolver (API mode), versions 1.0.0–1.10.0. Vulnerability details: In API mode, the resolver...

7.7CVSS5.8AI score0.0026EPSS