GHSA-VJHC-CF4P-72Q4

Vulnerability from github – Published: 2026-06-30 18:15 – Updated: 2026-06-30 18:15
VLAI
Summary
Fission: Cross-namespace Environment reference in Package allows build-time command execution and SA token exfiltration
Details

Summary

Fission's buildermgr controller processed Package CRDs without verifying that Package.spec.environment.namespace matched Package.metadata.namespace.

Details

An attacker with packages.fission.io/create in their own namespace could set spec.environment.namespace to any other tenant's namespace. The controller then used its high-privilege service account to fetch the Environment cross-namespace and dispatch the build command into the victim namespace's builder pod.

The build command's stdout is written verbatim into Package.status.buildlog. By running malicious code through an npm preinstall lifecycle hook (or any equivalent build step), the attacker could read the victim namespace's fission-builder Bearer token from inside that builder pod and surface it through the build log — then use the leaked token to read every Secret and ConfigMap in the victim namespace.

Impact

Cross-tenant compromise: a package author in one namespace could execute code inside another tenant's builder pod and exfiltrate that namespace's fission-builder service-account token, giving namespace-wide secret and configmap read in the victim namespace.

Fix

Fixed in #3379 and released in v1.24.0. Two checks in series:

  • Admission webhook (pkg/webhook/package.go::Validate) rejects Package.spec.environment.namespace != Package.metadata.namespace. An empty namespace is still accepted; the controllers default it to the package's own namespace.
  • Controller belt-and-braces: the same check is repeated in pkg/buildermgr/pkgwatcher.go::build and pkg/buildermgr/common.go::buildPackage before the cross-namespace Environments(...).Get call, so a stale Package CR or a webhook-bypass cluster (failurePolicy=Ignore) cannot exploit the primitive either.

Behavioural change

Packages that explicitly set spec.environment.namespace to a different namespace are now rejected at admission. Empty-string remains accepted (resolves to the package's own namespace, the same as the prior implicit behaviour).

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.23.0"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/fission/fission"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.24.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-49821"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-441",
      "CWE-862"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-30T18:15:27Z",
    "nvd_published_at": "2026-06-10T18:17:10Z",
    "severity": "HIGH"
  },
  "details": "### Summary\n\nFission\u0027s `buildermgr` controller processed `Package` CRDs without verifying that `Package.spec.environment.namespace` matched `Package.metadata.namespace`.\n\n### Details\n\nAn attacker with `packages.fission.io/create` in their own namespace could set `spec.environment.namespace` to any other tenant\u0027s namespace. The controller then used its high-privilege service account to fetch the Environment\ncross-namespace and dispatch the build command into the **victim namespace\u0027s** builder pod.\n\nThe build command\u0027s stdout is written verbatim into `Package.status.buildlog`. By running malicious code through an npm `preinstall` lifecycle hook (or any equivalent build step), the attacker could read the victim namespace\u0027s\n`fission-builder` Bearer token from inside that builder pod and surface it through the build log \u2014 then use the leaked token to read every Secret and ConfigMap in the victim namespace.\n\n### Impact\n\nCross-tenant compromise: a package author in one namespace could execute code inside another tenant\u0027s builder pod and exfiltrate that namespace\u0027s `fission-builder` service-account token, giving namespace-wide secret and configmap read in\n the victim namespace.\n\n### Fix\n\nFixed in [#3379](https://github.com/fission/fission/pull/3379) and released in [v1.24.0](https://github.com/fission/fission/releases/tag/v1.24.0). Two checks in series:\n\n- **Admission webhook** (`pkg/webhook/package.go::Validate`) rejects `Package.spec.environment.namespace != Package.metadata.namespace`. An empty namespace is still accepted; the controllers default it to the package\u0027s own namespace.\n- **Controller belt-and-braces:** the same check is repeated in `pkg/buildermgr/pkgwatcher.go::build` and `pkg/buildermgr/common.go::buildPackage` before the cross-namespace `Environments(...).Get` call, so a stale Package CR or a\nwebhook-bypass cluster (`failurePolicy=Ignore`) cannot exploit the primitive either.\n\n### Behavioural change\n\nPackages that explicitly set `spec.environment.namespace` to a different namespace are now rejected at admission. Empty-string remains accepted (resolves to the package\u0027s own namespace, the same as the prior implicit behaviour).",
  "id": "GHSA-vjhc-cf4p-72q4",
  "modified": "2026-06-30T18:15:27Z",
  "published": "2026-06-30T18:15:27Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/fission/fission/security/advisories/GHSA-vjhc-cf4p-72q4"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-49821"
    },
    {
      "type": "WEB",
      "url": "https://github.com/fission/fission/pull/3379"
    },
    {
      "type": "WEB",
      "url": "https://github.com/fission/fission/commit/e2b92663499f4dc3a1e2d38178f39c3c65e0134a"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/fission/fission"
    },
    {
      "type": "WEB",
      "url": "https://github.com/fission/fission/releases/tag/v1.24.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Fission: Cross-namespace Environment reference in Package allows build-time command execution and SA token exfiltration"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…