CVE-2023-44392

Source
https://nvd.nist.gov/vuln/detail/CVE-2023-44392
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-44392.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2023-44392
Related
  • GHSA-hm75-6vc9-8rpr
Published
2023-10-09T20:15:10Z
Modified
2025-01-08T15:14:20.990083Z
Severity
  • 9.0 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

Garden provides automation for Kubernetes development and testing. Prior tov ersions 0.13.17 and 0.12.65, Garden has a dependency on the cryo library, which is vulnerable to code injection due to an insecure implementation of deserialization. Garden stores serialized objects using cryo in the Kubernetes ConfigMap resources prefixed with test-result and run-result to cache Garden test and run results. These ConfigMaps are stored either in the garden-system namespace or the configured user namespace. When a user invokes the command garden test or garden run objects stored in the ConfigMap are retrieved and deserialized. This can be used by an attacker with access to the Kubernetes cluster to store malicious objects in the ConfigMap, which can trigger a remote code execution on the users machine when cryo deserializes the object. In order to exploit this vulnerability, an attacker must have access to the Kubernetes cluster used to deploy garden remote environments. Further, a user must actively invoke either a garden test or garden run which has previously cached results. The issue has been patched in Garden versions 0.13.17 (Bonsai) and 0.12.65 (Acorn). Only Garden versions prior to these are vulnerable. No known workarounds are available.

References

Affected packages

Git / github.com/garden-io/garden

Affected ranges

Type
GIT
Repo
https://github.com/garden-io/garden
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Fixed

Affected versions

0.*

0.12.32
0.12.33-777
0.12.49
0.12.50
0.12.51
0.12.53
0.12.55
0.12.56
0.13.0
0.13.10
0.13.11
0.13.12
0.13.2
0.13.3
0.13.4
0.13.5
0.13.6
0.13.7
0.13.8
0.13.9

Other

edge
edge-acorn

v0.*

v0.1.0
v0.1.1-0
v0.1.2
v0.10.11
v0.10.14
v0.10.3
v0.10.4
v0.10.5
v0.10.7
v0.10.8
v0.2.0-0
v0.3.0
v0.8.0
v0.8.0-rc0
v0.8.0-rc1
v0.8.0-rc2
v0.8.0-rc3
v0.8.0-rc4
v0.8.1-rc1
v0.9.0-docfix.1
v0.9.0-rc3
v0.9.1
v0.9.1-0
v0.9.10
v0.9.11
v0.9.12
v0.9.12-0
v0.9.3
v0.9.4
v0.9.5-2
v0.9.6
v0.9.9