Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Arbitrary WASM Code Execution via AnnotationOverrideFlight Injection in Yoke ATC
Vulnerability Description
Yoke is a Helm-inspired infrastructure-as-code (IaC) package deployer. In 0.19.0 and earlier, a vulnerability exists in the Air Traffic Controller (ATC) component of Yoke. It allows users with CR create/update permissions to execute arbitrary WASM code in the ATC controller context by injecting a malicious URL through the overrides.yoke.cd/flight annotation. The ATC controller downloads and executes the WASM module without proper URL validation, enabling attackers to create arbitrary Kubernetes resources or potentially escalate privileges to cluster-admin level.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Vulnerability Type
对生成代码的控制不恰当(代码注入)
Vulnerability Title
yoke 代码注入漏洞
Vulnerability Description
yoke是YokeCD开源的一个Kubernetes包管理工具。 Yoke 0.19.0及之前版本存在代码注入漏洞,该漏洞源于Air Traffic Controller组件缺乏适当的URL验证,允许具有CR创建或更新权限的用户通过注入恶意URL执行任意WASM代码,可能导致创建任意Kubernetes资源或权限提升。
CVSS Information
N/A
Vulnerability Type
N/A