Impact
Command Injection for Kubernets Connection
Using illegal tokens to connect to a Kubernetes cluster through Koko can result in the execution of dangerous commands that may disrupt the Koko container environment and affect normal usage
Details
- Create an example of an illegal Kubernetes token like the one shown below:
- If the token is used to connect to a Kubernetes cluster, any commands executed using the token - such as
touch /tmp/hackeme - will create a file at /tmp/hackeme.
Patches
The vulnerability has been fixed in v2.28.8
Workarounds
It is recommended to upgrade the version to v2.28.8
References
Found by 长亭科技(Chaitin Tech)
Impact
Command Injection for Kubernets Connection
Using illegal tokens to connect to a Kubernetes cluster through Koko can result in the execution of dangerous commands that may disrupt the Koko container environment and affect normal usage
Details
touch /tmp/hackeme- will create a file at /tmp/hackeme.Patches
The vulnerability has been fixed in v2.28.8
Workarounds
It is recommended to upgrade the version to v2.28.8
References
Found by 长亭科技(Chaitin Tech)