Security
Headlines
HeadlinesLatestCVEs

Tag

#kubernetes

GHSA-77v3-r3jw-j2v2: External Secrets Operator insecurely retrieves secrets through the getSecretKey templating function

### Summary The `getSecretKey` template function, while introduced for senhasegura Devops Secrets Management (DSM) provider, has the ability to fetch secrets cross-namespaces with the roleBinding of the external-secrets controller, bypassing our security mechanisms. This function was completely removed, as everything done with that templating function can be done in a different way while respecting our safeguards (for example, using `sourceRef` like explained here: https://github.com/external-secrets/external-secrets/issues/5690#issuecomment-3630977865) ### Impact - Cross-namespace secret access: Attackers or misconfigured resources could retrieve secrets from namespaces other than the one intended. - privilege escalation: Unauthorized access to secrets could lead to privilege escalation, data exfiltration, or compromise of service accounts and credentials. ### Resolution We removed the incriminated templating function from our codebase. All users should upgrade to the latest vers...

ghsa
Open in Source
#vulnerability#web#git#kubernetes#auth
GHSA-cc8m-98fm-rc9g: Skipper is vulnerable to arbitrary code execution through lua filters

### Impact Arbitrary code execution through [lua filters](https://opensource.zalando.com/skipper/reference/scripts/). The default skipper configuration before v0.23 was `-lua-sources=inline,file`. The problem starts if untrusted users can create lua filters, because of `-lua-sources=inline` , for example through a Kubernetes Ingress resource. The configuration `inline` allows these user to create a script that is able to read the filesystem accessible to the skipper process and if the user has access to read the logs they an read skipper secrets. Kubernetes example (vulnerability is not limited to Kubernetes) ```lua function request(ctx, params) local file = io.open('/var/run/secrets/kubernetes.io/serviceaccount/token', 'r') if file then local token = file:read('*all') file:close() error('[EXFIL] ' .. token) -- Exfiltrate via error logs end end ``` ### Patches https://github.com/zalando/skipper/releases/tag/v0.23.0 disables Lua by default. ### Workarounds You...

GHSA-w54x-r83c-x79q: Pepr Has Overly Permissive RBAC ClusterRole in Admin Mode

Severity: LOW Target: /workspace/pepr/src/lib/assets/rbac.ts Endpoint: Kubernetes RBAC configuration Method: Deployment ## Response / Rationale Pepr defaults to `rbacMode: "admin"` because the initial experience is designed to be frictionless for new users. This mode ensures that users can deploy and run the default `hello-pepr.ts` module without needing to understand or pre-configure RBAC rules. It’s important to note that `hello-pepr.ts` is intended strictly as a demo to showcase Pepr features and workflow. It is not intended for production use, and the documentation explicitly calls out that admin RBAC should not be used in production environments. That said, if a user skips the documentation and does not review the `npx pepr build` options, they could deploy a module with broader privileges than necessary. We consider this low severity because Pepr is a framework: the module author is ultimately responsible for selecting the appropriate RBAC scope for their module and environme...

New efficiency upgrades in Red Hat Advanced Cluster Management for Kubernetes 2.15

If you’re a platform engineer or SRE, you know that managing infrastructure and efficiently managing it are two very different things. You’ve been able to run virtual machines (VMs) alongside containers in Red Hat Advanced Cluster Management for a while now. But as your fleet grows, finding that one specific VM acting up in a haystack of clusters can feel like a scavenger hunt you didn't sign up for.Red Hat Advanced Cluster Management for Kubernetes 2.15 redefines your daily workflow instead of just adding features. We’ve taken the capabilities you rely on and made them easier to use so

New China Linked VoidLink Linux Malware Targets Major Cloud Providers

Researchers have discovered VoidLink, a sophisticated new Linux malware framework designed to infiltrate AWS, Google Cloud, and Azure. Learn how this Chinese-affiliated toolkit uses adaptive stealth to stay hidden.

GHSA-xv56-3wq5-9997: Renovate vulnerable to arbitrary command injection via kustomize manager and malicious helm repository

### Summary The user-provided chart name in the `kustomize` manager is appended to the `helm pull --untar` command without proper sanitization. ### Details Adversaries can provide a maliciously crafted `kustomization.yaml` in conjunction with a Helm repo's `index.yaml` file to trick Renovate to execute arbitrary code. The value for the `depName` argument for the `helmRepositoryArgs` function in [lib/modules/manager/kustomize/artifacts.ts](https://github.com/renovatebot/renovate/blob/cc08c6e98f19e6258c5d3180c70c98e1be0b0d37/lib/modules/manager/kustomize/artifacts.ts#L33) is not being escaped using the `quote` function from the `shlex` package. This lack of proper sanitization has been present in the product since version 39.218.9 (https://github.com/renovatebot/renovate/commit/cc08c6e98f19e6258c5d3180c70c98e1be0b0d37), released on March 26 of 2025. ### PoC 1. Create a mock Helm repository. Have its `index.yaml` endpoint return: ```yaml apiVersion: v1 entries: "example || kill 1; ech...

GHSA-59jp-pj84-45mr: Fulcio is vulnerable to Server-Side Request Forgery (SSRF) via MetaIssuer Regex Bypass

# Security Disclosure: SSRF via MetaIssuer Regex Bypass ## Summary Fulcio's `metaRegex()` function uses unanchored regex, allowing attackers to bypass MetaIssuer URL validation and trigger SSRF to arbitrary internal services. Since the SSRF only can trigger GET requests, the request cannot mutate state. The response from the GET request is not returned to the caller so data exfiltration is not possible. A malicious actor could attempt to probe an internal network through [Blind SSRF](https://portswigger.net/web-security/ssrf/blind). ## Impact - SSRF to cloud metadata (169.254.169.254) - SSRF to internal Kubernetes APIs - SSRF to any service accessible from Fulcio's network - Affects ALL deployments using MetaIssuers ## Patches Upgrade to v1.8.5. ## Workarounds None. If anchors are included in the meta issuer configuration URL, they will be escaped before the regular expression is compiled, not making this a sufficient mitigation. Deployments must upgrade to the latest Fulcio r...

GHSA-xrwg-mqj6-6m22: Envoy Extension Policy lua scripts injection causes arbitrary command execution

### Impact Envoy Gateway allows users to create Lua scripts that are executed by Envoy proxy using the `EnvoyExtensionPolicy` resource. Administrators can use Kubernetes RBAC to grant users the ability to create `EnvoyExtensionPolicy` resources. Lua scripts in policies are executed in two contexts: * An `EnvoyExtensionPolicy` can be attached to Gateway and xRoute resources. Lua scripts in the policy will process traffic in that scope. * Lua scripts are interpreted and run by the Envoy Gateway controller pod for validation purposes. Lua scripts executed by Envoy proxy can be used to leak the proxy's credentials. These credentials can then be used to communicate with the control plane and gain access to all secrets that are used by Envoy proxy, e.g. TLS private keys and credentials used for downstream and upstream communication. For example, the following EnvoyExtensionPolicy, when executed by Envoy proxy, will leak the proxy's XDS client certificates. ```yaml apiVersion: gateway....

New Advanced Linux VoidLink Malware Targets Cloud and container Environments

Cybersecurity researchers have disclosed details of a previously undocumented and feature-rich malware framework codenamed VoidLink that's specifically designed for long-term, stealthy access to Linux-based cloud environments According to a new report from Check Point Research, the cloud-native Linux malware framework comprises an array of custom loaders, implants, rootkits, and modular