4.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
0.001 Low
EPSS
Percentile
31.4%
github.com/tektoncd/pipeline is vulnerable to Authorization Bypasses. The Pipelines do not check child UIDs, therefore users who have permission to create TaskRuns
are able to create their own tasks, tricking the controller into linking irrelevant runs to the pipeline, feeding data through the remainder of the pipeline.
CPE | Name | Operator | Version |
---|---|---|---|
github.com/tektoncd/pipeline | le | v0.49.0 | |
github.com/tektoncd/pipeline | le | v0.49.0 |
github.com/tektoncd/pipeline/blob/2d38f5fa840291395178422d34b36b1bc739e2a2/pkg/reconciler/pipelinerun/pipelinerun.go#L1358-L1372
github.com/tektoncd/pipeline/issues/6909
github.com/tektoncd/pipeline/security/advisories/GHSA-w2h3-vvvq-3m53
pkg.go.dev/github.com/tektoncd/pipeline/pkg/apis/pipeline/v1beta1#ChildStatusReference