Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2023-37264: Pipelines do not validate child UIDs #6909

Open
wlynch opened this issue Jul 7, 2023 · 2 comments
Open

CVE-2023-37264: Pipelines do not validate child UIDs #6909

wlynch opened this issue Jul 7, 2023 · 2 comments
Labels
kind/bug Categorizes issue or PR as related to a bug. lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness.

Comments

@wlynch
Copy link
Member

wlynch commented Jul 7, 2023

Opening an issue based on GHSA-w2h3-vvvq-3m53 if anyone wants to pick this up 🙏

Expected Behavior

PipelineRuns only look at TaskRuns that it generates.

Actual Behavior

PipelineRuns will accept any TaskRun that matches the correct name, even if it was not generated from the Pipeline.

Steps to Reproduce the Problem

See GHSA-w2h3-vvvq-3m53

Additional Info

The PipelineRun reconciler should check the TaskRun UIDs match.
@wlynch wlynch added the kind/bug Categorizes issue or PR as related to a bug. label Jul 7, 2023
@imjasonh imjasonh mentioned this issue Jul 17, 2023
Merged
5 tasks
@adambkaplan adambkaplan mentioned this issue Aug 1, 2023
Open
@tekton-robot
Copy link
Collaborator

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale with a justification.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close with a justification.
If this issue should be exempted, mark the issue as frozen with /lifecycle frozen with a justification.

/lifecycle stale

Send feedback to tektoncd/plumbing.

@tekton-robot tekton-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Oct 5, 2023
@vdemeester
Copy link
Member

/lifecycle frozen

@tekton-robot tekton-robot added lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness. and removed lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. labels Oct 5, 2023
@wlynch wlynch mentioned this issue Oct 5, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug Categorizes issue or PR as related to a bug. lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@vdemeester @wlynch @tekton-robot