CVE-2024-42363

CVSS V2 None CVSS V3 None

Description

Prior to 3385, the user-controlled role parameter enters the application in the Kubernetes::RoleVerificationsController. The role parameter flows into the RoleConfigFile initializer and then into the Kubernetes::Util.parse_file method where it is unsafely deserialized using the YAML.load_stream method. This issue may lead to Remote Code Execution (RCE). This vulnerability is fixed in 3385.

Overview

CVE ID
CVE-2024-42363

Assigner
GitHub_M

Vulnerability Status
PUBLISHED

Published Version
2024-08-20T20:20:03.000Z

Last Modified Date
2024-08-20T20:53:00.400Z

Weakness Enumerations

CWE	URL
CWE-502	http://cwe.mitre.org/data/definitions/502.html

References

Reference URL	Reference Tags
https://securitylab.github.com/advisories/GHSL-2023-136_Samson/	x_refsource_CONFIRM
https://github.com/zendesk/samson/pull/4071	x_refsource_MISC
https://github.com/zendesk/samson/blob/107efb4a252425966aac5e77d0c3670f9b5d7229/plugins/kubernetes/app/controllers/kubernetes/role_verifications_controller.rb#L10	x_refsource_MISC
https://github.com/zendesk/samson/blob/107efb4a252425966aac5e77d0c3670f9b5d7229/plugins/kubernetes/app/controllers/kubernetes/role_verifications_controller.rb#L7	x_refsource_MISC
https://github.com/zendesk/samson/blob/107efb4a252425966aac5e77d0c3670f9b5d7229/plugins/kubernetes/app/models/kubernetes/role_config_file.rb#L80	x_refsource_MISC
https://github.com/zendesk/samson/blob/107efb4a252425966aac5e77d0c3670f9b5d7229/plugins/kubernetes/app/models/kubernetes/util.rb#L9	x_refsource_MISC

Sources

Source Name	Source URL
NIST	https://nvd.nist.gov/vuln/detail/CVE-2024-42363
MITRE	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-42363

History

Created	Old Value	New Value	Data Type	Notes
2024-08-21 13:11:31				Added to TrackCVE