Garden provides automation for Kubernetes development and testing. Prior tov ersions 0.13.17 and 0.12.65, Garden has a dependency on the cryo library, which is vulnerable to code injection due to an insecure implementation of deserialization. Garden stores serialized objects using cryo in the Kubernetes ConfigMap resources prefixed with test-result and run-result to cache Garden test and run results. These ConfigMaps are stored either in the garden-system namespace or the configured user namespace. When a user invokes the command garden test or garden run objects stored in the ConfigMap are retrieved and deserialized. This can be used by an attacker with access to the Kubernetes cluster to store malicious objects in the ConfigMap, which can trigger a remote code execution on the users machine when cryo deserializes the object. In order to exploit this vulnerability, an attacker must have access to the Kubernetes cluster used to deploy garden remote environments. Further, a user must actively invoke either a garden test or garden run which has previously cached results. The issue has been patched in Garden versions 0.13.17 (Bonsai) and 0.12.65 (Acorn). Only Garden versions prior to these are vulnerable. No known workarounds are available.
The product deserializes untrusted data without sufficiently verifying that the resulting data will be valid.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Garden | Garden | * | 0.12.65 (excluding) |
| Garden | Garden | 0.13.0 (including) | 0.13.17 (excluding) |
It is often convenient to serialize objects for communication or to save them for later use. However, deserialized data or code can often be modified without using the provided accessor functions if it does not use cryptography to protect itself. Furthermore, any cryptography would still be client-side security – which is a dangerous security assumption. Data that is untrusted can not be trusted to be well-formed. When developers place no restrictions on “gadget chains,” or series of instances and method invocations that can self-execute during the deserialization process (i.e., before the object is returned to the caller), it is sometimes possible for attackers to leverage them to perform unauthorized actions, like generating a shell.