Listen to this Post
The vulnerability arises from two root causes. First, the `revision` parameter in a `ResolutionRequest` is passed directly as a positional argument to `git fetch` without validation that it does not start with a `-` character. Git parses flags even from positional arguments, so a value like `–upload-pack=/bin/sh` is interpreted as a flag, not a refspec. Second, the `validateRepoURL` function explicitly allows URLs beginning with /, which are local filesystem paths. When `git fetch` uses a local path as the remote, the `–upload-pack` flag causes Git to execute the specified binary locally on the resolver pod. An attacker who can submit `ResolutionRequest` objects combines these: they set `url` to a local path (e.g., /tmp/localrepo) and `revision` to --upload-pack=/bin/sh. The resolver executes git fetch origin --upload-pack=/bin/sh --depth=1, launching `/bin/sh` with the repository path as argument. From there, the attacker can read cluster secrets because the `tekton-pipelines-resolvers` ServiceAccount has cluster-wide `get/list/watch` on all Secrets. The deprecated and current resolvers share the vulnerable code. No shell metacharacters are needed; Git itself does the injection. Attack complexity is high because a valid Git repo must exist at a predictable path on the pod, but concurrent resolutions or default configurations can enable it. Proof-of-concept uses `kubectl create` with a crafted ResolutionRequest. The fix requires validating that `revision` does not begin with `-` and optionally removing local-path URL support.
dailycve form:
Platform: Tekton Pipelines
Version: All versions
Vulnerability: Git flag injection
Severity: High
date: 2024-04-10
Prediction: Patch within 30d
What Undercode Say:
Identify vulnerable resolver pods kubectl get pods -n tekton-pipelines -l app=tekton-pipelines-resolvers Check for missing revision validation in source grep -rn 'revision.fetch' pkg/resolution/resolver/git/ Exploit simulation (requires local repo on pod) kubectl create -f - <<EOF apiVersion: resolution.tekton.dev/v1beta1 kind: ResolutionRequest metadata: name: test-injection spec: params: - name: url value: /tmp/existing-repo - name: revision value: "--upload-pack=/bin/sh -c 'cat /var/run/secrets/kubernetes.io/serviceaccount/token'" EOF
Exploit:
– Attacker submits `ResolutionRequest` with `url=/tmp/predictable-repo` and revision=--upload-pack=/bin/sh.
– Resolver runs git fetch origin --upload-pack=/bin/sh --depth=1, executing `/bin/sh` with repo path.
– Shell can read service account token, then use Kubernetes API to list all secrets cluster-wide.
– Exfiltrate via `curl` from injected --upload-pack=/usr/bin/curl.
Protection from this CVE:
- Apply fix: validate `revision` with `strings.HasPrefix(revision, “-“)` -> reject.
- Remove local path support: change `validateRepoURL` regex to deny
^/. - Upgrade to patched Tekton version (when available).
- Restrict `ResolutionRequest` submission to trusted tenants via RBAC.
- Run resolver pods with read-only root filesystem and drop all capabilities.
Impact:
- Full cluster secret exfiltration (kubeconfigs, cloud tokens, API keys).
- Lateral movement to cloud infrastructure and other namespaces.
- Privilege escalation from tenant to cluster admin.
- Both old and new resolvers vulnerable; default installations affected.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

