CVE-2024-42363

Prior to 3385, the user-controlled role parameter enters the application in the Kubernetes::RoleVerificationsController. The role parameter flows into the RoleConfigFile initializer and then into the Kubernetes::Util.parse_file method where it is unsafely deserialized using the YAML.load_stream method. This issue may lead to Remote Code Execution (RCE). This vulnerability is fixed in 3385.

Weakness

The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

Potential Mitigations

• Make fields transient to protect them from deserialization.
• An attempt to serialize and then deserialize a class containing transient fields will result in NULLs where the transient data should be. This is an excellent way to prevent time, environment-based, or sensitive variables from being carried over and used improperly.

Related Attack Patterns

• https://cwe.mitre.org/data/definitions/586.html

References

• https://github.com/zendesk/samson/blob/107efb4a252425966aac5e77d0c3670f9b5d7229/plugins/kubernetes/app/controllers/kubernetes/role_verifications_controller.rb#L10
• https://github.com/zendesk/samson/blob/107efb4a252425966aac5e77d0c3670f9b5d7229/plugins/kubernetes/app/controllers/kubernetes/role_verifications_controller.rb#L7
• https://github.com/zendesk/samson/blob/107efb4a252425966aac5e77d0c3670f9b5d7229/plugins/kubernetes/app/models/kubernetes/role_config_file.rb#L80
• https://github.com/zendesk/samson/blob/107efb4a252425966aac5e77d0c3670f9b5d7229/plugins/kubernetes/app/models/kubernetes/util.rb#L9
• https://github.com/zendesk/samson/pull/4071
• https://securitylab.github.com/advisories/GHSL-2023-136_Samson/