title | metaTitle | metaDescription | icon | hideToC | fullWidth |
---|---|---|---|---|---|
CVE Reports |
CVE Reports |
Security bulletins for Common Vulnerabilities and Exposures (CVEs) related to Palette |
false |
false |
A security vulnerability in sudo -e
option (aka sudoedit) allows a malicious user with sudoedit privileges to edit arbitrary files. The Palette container palette-controller-manager:mold-manager
incorporates a sudo version affected by sudoers policy bypass in sudo when using sudoedit.
All versions of Palette before v2.6.70 are affected.
A local user with permission to edit files can use this flaw to change a file not permitted by the security policy, resulting in privilege escalation.
- For Palette SaaS, this has been addressed and requires no user action.
- For Palette self-hosted deployments, please upgrade to newer versions greater than or equal to v2.6.70 to address the reported vulnerability.
None.
On May 3 2022, OpenSSL published a security advisory disclosing a command injection vulnerability in the c_rehash
script included with the OpenSSL library. Some operating systems automatically execute this script as a part of normal operations, which could allow an attacker to execute arbitrary commands with elevated privileges.
Palette is not directly affected by this vulnerability. However, if your cluster profile is using the vSphere CSI pack, version v2.3 or below, it contains a vulnerable version of the c_rehash
script.
The c_rehash
script does not sanitize shell metacharacters properly to prevent command injection. This script is distributed by some operating systems, and by extension, in container images, in a manner where it is automatically executed. On such operating systems, an attacker could execute arbitrary commands with the privileges of the script.
This vulnerability has been addressed in the vSphere CSI pack greater than or equal to version v2.6.
Update cluster profiles using the vSphere CSI pack to version v2.6 or greater. Apply the updated cluster profile changes to all clusters consuming the cluster profile.
Not all valid JavaScript whitespace characters are considered to be whitespace. Templates containing whitespace characters outside of the character set "\t\n\f\r\u0020\u2028\u2029" in JavaScript contexts that also contain actions may not be properly sanitized during execution.
No impact - We use html/template package but our html templates are static, and we don’t accept or parse any user given data.
Not Applicable
Not Applicable
Not Applicable
The go command may execute arbitrary code at build time when using cgo. This may occur when running "go get" on a malicious module, or when running any other command which builds untrusted code. This is can by triggered by linker flags, specified via a "#cgo LDFLAGS" directive. Flags containing embedded spaces are mishandled, allowing disallowed flags to be smuggled through the LDFLAGS sanitization by including them in the argument of another flag. This only affects usage of the gccgo compiler.
No impact - Not a runtime issue and we don't compile untrusted codes.
Not Applicable
Not Applicable
Not Applicable
The go command may generate unexpected code at build time when using cgo. This may result in unexpected behavior when running a go program which uses cgo. This may occur when running an untrusted module which contains directories with newline characters in their names. Modules which are retrieved using the go command, i.e. via "go get", are not affected (modules retrieved using GOPATH-mode, i.e. GO111MODULE=off, may be affected).
No impact - Not a runtime issue and we don't compile untrusted codes.
Not Applicable
Not Applicable
Not Applicable
The go command may execute arbitrary code at build time when using cgo. This may occur when running "go get" on a malicious module, or when running any other command which builds untrusted code. This is can by triggered by linker flags, specified via a "#cgo LDFLAGS" directive. The arguments for a number of flags which are non-optional are incorrectly considered optional, allowing disallowed flags to be smuggled through the LDFLAGS sanitization. This affects usage of both the gc and gccgo compilers.
No impact - Not a runtime issue and we don't compile untrusted codes.
Not Applicable
Not Applicable
Not Applicable
Templates do not properly consider backticks (`) as Javascript string delimiters, and do not escape them as expected. Backticks are used, since ES6, for JS template literals. If a template contains a Go template action within a Javascript template literal, the contents of the action can be used to terminate the literal, injecting arbitrary Javascript code into the Go template. As ES6 template literals are rather complex, and themselves can do string interpolation, the decision was made to simply disallow Go template actions from being used inside of them (e.g. "var a = {{.}}"), since there is no obviously safe way to allow this behavior. This takes the same approach as github.com/google/safehtml. With fix, Template.Parse returns an Error when it encounters templates like this, with an ErrorCode of value 12. This ErrorCode is currently unexported, but will be exported in the release of Go 1.21. Users who rely on the previous behavior can re-enable it using the GODEBUG flag jstmpllitinterp=1, with the caveat that backticks will now be escaped. This should be used with caution.
No impact - We use html/template package but our html templates are static, and we don’t accept or parse any user given data.
Not Applicable
Not Applicable
Not Applicable
Angle brackets (<>) are not considered dangerous characters when inserted into CSS contexts. Templates containing multiple actions separated by a '/' character can result in unexpectedly closing the CSS context and allowing for injection of unexpected HTML, if executed with untrusted input.
No impact - We use html/template package but our html templates are static, and we don’t accept or parse any user given data.
Not Applicable
Not Applicable
Not Applicable
Templates containing actions in unquoted HTML attributes (e.g. "attr={{.}}") executed with empty input can result in output with unexpected results when parsed due to HTML normalization rules. This may allow injection of arbitrary attributes into tags.
No impact - Our html templates are static and doesn't include characters mentioned in the CVE.
Not Applicable
Not Applicable
Not Applicable
The PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an insufficiently trustworthy search path, leading to remote code execution if an agent is forwarded to an attacker-controlled system. (Code in /usr/lib is not necessarily safe for loading into ssh-agent.) NOTE: this issue exists because of an incomplete fix for CVE-2016-10009.
Unknown
Self-hosted Palette version < 4.0 Private Cloud Gateway deployed on Palette version < 4.0 Tenant Clusters deployed on Palette version < 4.0
For self-hosted Palette environments, please upgrade to 4.0. For tenant clusters and Private Cloud Gateway, please use on-demand or scheduled OS patching features to apply the OS security patches.
Not Applicable
In Sudo before 1.9.12p2, the sudoedit (aka -e) feature mishandles extra arguments passed in the user-provided environment variables (SUDO_EDITOR, VISUAL, and EDITOR), allowing a local attacker to append arbitrary entries to the list of files to process. This can lead to privilege escalation. Affected versions are 1.8.0 through 1.9.12.p1. The problem exists because a user-specified editor may contain a "--" argument that defeats a protection mechanism, e.g., an EDITOR='vim -- /path/to/extra/file' value.
Unknown
Self-hosted Palette version < 4.0 Private Cloud Gateway deployed on Palette version < 4.0 Tenant Clusters deployed on Palette version < 4.0
For Self-hosted Palette environments, please upgrade to 4.0. For Tenant Clusters and Private Cloud Gateway, please use on-demand or scheduled OS patching features to apply the OS security patches.
Not Applicable