Horizon Alert
Summary of the vulnerability and why it matters
This advisory concerns a vulnerability in the Tekton Pipelines software, a tool used for continuous integration and delivery within Kubernetes environments. The issue allows a user with specific permissions to potentially access sensitive files, including service account tokens, from the system running Tekton Pipelines. The main concern is confirming whether this specific technology is in use and, if so, understanding the extent of potential exposure.
- Attackers could read sensitive files on the server.
- Impacts systems using Tekton Pipelines for CI/CD.
- Confirm usage and assess exposure risks.
Attack Path
How an attacker could exploit the issue
An attacker with the ability to create resolution requests can exploit a path traversal vulnerability in the Tekton Pipelines git resolver. By manipulating the `pathInRepo` parameter, an attacker can read arbitrary files from the resolver pod's filesystem, potentially including sensitive ServiceAccount tokens. These file contents are then returned to the attacker, base64-encoded, within the resolution request's status data, enabling further system compromise.
- Requires authenticated access to create requests.
- Path traversal via `pathInRepo` parameter.
- Access to sensitive files, including tokens.
Live Threat
Current exploitation, exposure, and threat context
A user with permission to create `ResolutionRequests` could potentially read arbitrary files from the resolver pod's filesystem, including ServiceAccount tokens. This exposure could occur when the `git-resolver` in Tekton Pipelines is configured and when the `pathInRepo` parameter is manipulated to traverse directories. The base64-encoded file contents would then be returned in the `resolutionrequest.status.data` field.
- ServiceAccount tokens or other filesystem contents.
- Path traversal via the `pathInRepo` parameter.
- Exposure of sensitive information.
Operational Fix
Recommended remediation, mitigation, and detection steps
Application owners or platform teams responsible for Tekton Pipelines deployments must identify all instances of the affected software, confirm their reachability and criticality, and then prioritize remediation efforts. Coordination with infrastructure and security teams will be essential for effective risk reduction and timely updates.
- Application owners and platform teams.
- Confirm Tekton Pipelines' reachability and criticality.
- Plan and coordinate targeted remediation efforts.