Garden provides automation for Kubernetes development and testing. Prior tov ersions 0.13.17 and 0.12.65, Garden has a dependency on the cryo library, which is vulnerable to code injection due to an insecure implementation of deserialization. Garden stores serialized objects using cryo in the Kubernetes ConfigMap
resources prefixed with test-result
and run-result
to cache Garden test and run results. These ConfigMaps
are stored either in the garden-system
namespace or the configured user namespace. When a user invokes the command garden test
or garden run
objects stored in the ConfigMap
are retrieved and deserialized. This can be used by an attacker with access to the Kubernetes cluster to store malicious objects in the ConfigMap
, which can trigger a remote code execution on the users machine when cryo deserializes the object. In order to exploit this vulnerability, an attacker must have access to the Kubernetes cluster used to deploy garden remote environments. Further, a user must actively invoke either a garden test
or garden run
which has previously cached results. The issue has been patched in Garden versions 0.13.17
(Bonsai) and 0.12.65
(Acorn). Only Garden versions prior to these are vulnerable. No known workarounds are available.
The product deserializes untrusted data without sufficiently verifying that the resulting data will be valid.
Name | Vendor | Start Version | End Version |
---|---|---|---|
Garden | Garden | * | 0.12.65 (excluding) |
Garden | Garden | 0.13.0 (including) | 0.13.17 (excluding) |
It is often convenient to serialize objects for communication or to save them for later use. However, deserialized data or code can often be modified without using the provided accessor functions if it does not use cryptography to protect itself. Furthermore, any cryptography would still be client-side security – which is a dangerous security assumption. Data that is untrusted can not be trusted to be well-formed. When developers place no restrictions on “gadget chains,” or series of instances and method invocations that can self-execute during the deserialization process (i.e., before the object is returned to the caller), it is sometimes possible for attackers to leverage them to perform unauthorized actions, like generating a shell.